Add another reason to hate NAT to the list. I'm bringing up two Internet egress points in our corporate network. The edge devices will be ASA 5525-X firewalls. Traditionally you would put these into some sort of cluster, but this requires L2 connectivity. Since these devices will be in separate parts of my network, L2 connectivity is not an easy option.
My current running solution is to bring them both up as independent firewalls and advertise a default route from each. Any ECMP should have the same hash for each flow and push it towards the "correct" egress firewall.
My question is this:
- Is there a way to cluster two ASAs without needing a L2 link?
- I want a second/third/hundred pair of eyes on my current solution assuming "No" is the answer to #1.
Best Answer
I think you have two options:
The first option ensures traffic is always going through either one firewall or the other so that NAT doesn't break.
The second option allows you to load balance across both circuits: One equal-cost default route from each circuit, with your local public prefix(es) advertised out both circuits. (This option ignores how connectivity between the sites is accomplished.)