WAN and Internet redundancy

i have a design need to be implemented as below
We have new site with one internet link and one WAN link with one router for internet and one router for WAN and two Cisco ASA with firepower software module.
the customer request to use redundancy between the two routers so if WAN router goes down the site will have access to HQ through internet and if internet router goes down the site will access internet through HQ so Internet router will be primary internet and backup for WAN and Voice GW. WAN Router will be Primary for WAN and Voice GW and backup for internet (accessed from HQ).
Ayman RoyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You do not describe how the ASA should be used - are they inside the routers? I assume so.

So, first you need to create an IPSEC (or GRE tunnel) from the Internet router to the HQ.
Next you need to set up the routing.

The routing design will depend on also the topology at the HQ - if the WAN and IPSEC links come in on the same HQ router, or at different routers.

Generally though, I suggest setting up OSPF between the two routers; over the WAN links; and through the IPSEC tunnel. If there are two routers at the HQ you also need to have OSPF between those. (Any other routing protocol would do, like BGP, RIP, etc., if that is preferred.)

Now, by tuning the OSPF cost over the IPSEC link, you can get traffic in both directions (HQ->Branch and Branch->HQ) to prefer the WAN link, and only use the IPSEC link/tunnel when the WAN link is not available.

For Internet access, you should get HQ to advertise also a default route in OSPF over the WAN link, and in addition your Internet routing should have a default route to the internet, with a metric so that it is preferred over the one from HQ.

Your Internet router should probably have some monitoring of the ISP it is connected to. You can use the IP SLA feature of IOS, which effectively will keep a static default route in the routing table as long as the ISP is up. Next you "distribute" that static default route into OSPF on the Internet router.

The two ASA you can put in a cluster, with all users behind it.
I am not sure if it supports OSPF. If not, just use a static route to a VRRP IP (or HSRP IP) that you have configured between the Internet router and the WAN router.
Ensure that the network (perhaps a /29) between routers and ASAs are included in OSPF (typically as a "passive interface"), so that it is advertised to the HQ.
My older ASA supports OSPF, so your new ones should too.

I assume the ASA are clustered, but why do that if the routers are.not.highly available? Each router can be used for both Internet and WAN traffic by logically segmenting them into virtual routers using VRF.
Ayman RoyAuthor Commented:
The ASA will be in router mode, inside zone for users which need to access the HQ resources and internet .
now i have three interfaces in ASA one for inside and one for WAN and one for Internet.
the ASA will work as A/S failover.
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

Sounds OK.

If you do NAT on the ASA you just need to include the outside network in OSPF (as I originally described).

If you do not NAT, you will need to include also the inside networks in OSPF, either as static routers on the routers (redistributed to OSPF) or by running OSPF on the ASA too.
Ayman RoyAuthor Commented:
so internet will be outside and WAN will be in DMZ and just configure the dynamic routing protocol
In that case you need to run OSPF on the ASA.

Alternatively, without DMZ you can have just outside connected to a /27 subnet with both the ASA-cluster and the two routers.
Ayman RoyAuthor Commented:
in this case i should use switch between the two routers and ASA.
Bro do you have any example for such design?
I believe that to cluster the ASA you would anyway need a switch...
So in this case, you just need a switch with 4 ports, to connect the 2 ASA and 2 routers.

Now, if you want redundancy also on the switch - you need two switches; to ensure at least one ASA has connectivity to one router, in case one switch dies. You would also connect the two switches together, so that all 4 routers/ASA can talk to each other when everything is up.
Ayman RoyAuthor Commented:
Bro i attached the topology and please check is it ok or need modification
I cannot see any attachment...
Ayman RoyAuthor Commented:
Bro i attached the topology and please check is it ok or need modification
On the outside (PC2) you can possibly not use LACP, unless you set up the two switches as a stack (virtual chassis).

Also, the VPN tunnel will be from the internet router to some router at the HQ, so it would make sense to include HQ routers for the sake of clarity.
Ayman RoyAuthor Commented:
Bro so the connectivity it will be as attached file.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.