DNS Failover - What's the recommended hardware path on our end? Would this work?

We currently have a fairly simple set up, we have ONE public Web Server IP.   Our In/Out path is ISP line to our Cisco ASA/Firewall to our Host Server.    We use Static IPs from the ISP.   Our objective is to achieve highly reliable access to our Web server.  

We are looking at solution such as DNSMadeEasy + DNS Failover.  

Would the following plan work?
1) We'll acquire a new ISP #2 service as backup for our ISP #1 service.
2) We'll acquire a new Switch. On site our location we'll plug the two lines from ISP #1 and ISP #2 into the new Switch.
3) Run a single line from this new switch into our existing CISCO ASA router, and add configuration rules to Cisco for the new source IP addresses to mirror the rules already there for NAT, port forwarding, etc.

Any recommendations would be appreciated!
LVL 1
JReamAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
you need to publish two entries of your web server in public DNS pointing to two public IPs ((2 ISPs) and keep TTL low  (Ex: 1 min) and now this setup will work on DNS round robin, if primary link goes down, after one minute, 2ndary IP will take over
kevinhsiehCommented:
I typed all this up before on my phone and it didn't post. :-(

Quick rundown. I did the same thing with ASA. Connect new ISP to external switch. I used a NAT router from ISP (cable company). Inside of the NAT router was the same IP subnet as your public IP from first ISP. IE, if your network from ISP is 13.200.148.224/29, your gateway could be 13.200.148.225, your ASA might be 13.200.148.226, web server 13.200.148.227, and the NAT router could be 13.200.148.230.

Setup ASA to use reliable static routing to first ISP. Look it up. Most examples are for Cisco IOS routers, but it also works with ASA. Put in a floating static route to the secondary ISP 13.200.148.230. A floating static route is a route with a lower priority. It won't be in the routing table unless the first ISP goes offline and that route gets withdrawn.

Setup static NAT on secondary ISP to point one of those IP addressess to the public IP of your web server. Use that as the failover IP in DNS Made Easy.

When you use this setup, ASA only needs to setup reliable static routing and the floating static route. No NAT or ACL changes needed.

Your web server will only be available on the IP address of the working ISP. There is no way to have both ISP active at the same time for the web server. TCP doesn't allow it without a load balancer in front, which is a whole new level of complication.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaheshArchitectCommented:
Ideally speaking you should have NAT rule on external firewall which have two public IPs pointing to single private IPs with reduced TTL
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

kevinhsiehCommented:
You can't have two different IPs NAT to the same private IP. ASA won't let you do it. How would the ASA even know which public IP to use when the web server makes an outbound session?
MaheshArchitectCommented:
I am not firewall expert
however I have seen setups where two public IPs are actively Natted with single private IP
for outbound connections firewall should be able to see inbound public ip out of two and should make connection and that setup never face any outbound connectivity issue
if specific firewall has issue with 2 IP NAT, then you can have two private IPs in web server and from there build single NAT per public IP with reduced TTL valuue
Blue Street TechLast KnightCommented:
Hi JReam

If you upgrade to a SonicWALL you can easily achieve this with one security appliance and DNSMadeEasy. In the SonicWALL you simply plug in both WAN connections into two ports then you can setup LB (Load Balancing) a number of different ways and also can incorporate PEPBR (Probe-Enabled Policy Based Routing) so that if/when WAN1 (Primary WAN) fails then all traffic is automatically routed to WAN2 and then once WAN1 is back online it receives all or some of the traffic depending on how the LB is configured. Then on the Public DNS side you can setup DNS Fail-over via ANAME records for the web server so that the domain, for example is say web.yourdomain.com, which behind the scenes is auto-detecting/probing each WAN IP so that in the event one fails users will never know - they won't have to change addresses or IPs, etc.

This will provide complete ISP failover from the Public DNS to the Firewall.

This way you don't need to buy a new switch. All you do is buy a SonicWALL, which has far better security than an ASA anyway and you don't need to setup all the static routes and NAT policies, etc. The Wizard will handle everything for you. This simplifies your architecture while enhancing its security and functionality. I'd put the Web Server in the LAN and run a RPS (Reverse Proxy Server) in the DMZ for better security and LB capabilities.

Let me know if you have any questions with what I proposed.
nociSoftware EngineerCommented:
I am not sure about ASA howto do this on ASA you need a dynamic default route.

Like said Sonicwall, but also Zywall can handle this.  

IP routing cant handle two default GW at the same time reliably... so one needs to be used and a switch needs to occur on link down.
so this means you need DYNAMIC routing.  When not using BGP + some privately owned public ip network (+ AS number) you also need to update DNS when the link switch occurs.
The latter can be arranged if there is a DYNDNS used, mostly that is with names like blahblah.dynalias.com which can be pointed to with a CNAME.
then the switch will take a minute or so to materialize.(TTL of DNS).  Obviously you will need an update service for dynalias on you webserver (most logical place).  dynalias will take the source IP of an authenticated login as the translation for a name.
kevinhsiehCommented:
Reliable static routing is an alternative to dynamic routing. Reliable static routing can also be more reliable than dynamic routing, as your ISP may give you a default route via DHCP/BGP/OSPF, but that doesn't guarantee that they aren't broken somewhere upstream. Reliable static routing allows you to check anywhere on the internet to determine connectivity before making the determination that the route is valid.

I make no assertions about the ease of use or security of ASA vs Sonicwall vs Zywall. I do assert that a small switch along with basic SOHO NAT router and some routing changes on ASA is a smaller change than switching firewall platforms.

Here is the code needed to work on the ASA. I am using the IP addresses from my example above.

! force the IP SLA check out the primary ISP to see if it is up
route Outside 4.2.2.2 255.255.255.255 13.200.148.225 1
! Sets default route to primary ISP if 4.2.2.2 is up
route Outside 0.0.0.0 0.0.0.0 13.200.148.225 10 track 1
! floating default route to secondary ISP
route Outside 0.0.0.0 0.0.0.0 13.200.148.230 250

! IP SLA setup to see if the route out the primary ISP is good
sla monitor 1
 type echo protocol ipIcmpEcho 4.2.2.2 interface Outside
 num-packets 3
 timeout 1000
 threshold 1000
 frequency 5
sla monitor schedule 1 life forever start-time now

Open in new window

JReamAuthor Commented:
Thanks everyone.  We're still trying to figure best approach.     We're also looking at a co-location (2 sites) with Hyper-V Replica, giving us high reliability with redundant ISPs & city power sources, still using DNSMadeEasy.
Benjamin Van DitmarsSr Network EngineerCommented:
When youre going to do this, ask youre provider(s) to do bgp. much easier. and perfect failover
JReamAuthor Commented:
Thank you for your replies!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.