We are trying to set up a failover ASA configuration at a colo who is only providing us with one network drop. Given that with one network drop, we are not able to completely eliminate all single points of failure, it was our hope to still be able to use the failover ASA config that we had initially envisioned.
We do not have a router at the colo, as we were hoping to use our 3750 switch infrastructure to do the routing for us.
The network provided by the colo looks something like this (obviously these are not publicly routed IPs, but this is an example):
- Customer IP: 10.100.200.202/30
- Provider Router: 10.100.200.201/30
- Customer Routed Block: 192.168.200.0/27
In addition to that, we also have a point to point back to our primary site, which is delivering layer 2 connectivity.
In our initial design, we had envisioned that the 3750 would be the router for all of our devices, which is to say that everything at the colo would use a Cisco 3750 as it's default gateway. The 3750 would decide if the traffic was internal (i.e. locally switched), point to point (i.e. switched back to the main office), or external (routed out).
The issue that we hit was that we wanted all of our externally routed packets to be sent through the firewall for the purpose of filtering. Once these packets left the firewall, they would be routed out through the OB connection, which would send them back to the 3750 (over a different VLAN) from whence they had originated, and then out the colo connection.
What a configuration like this would allow us to do would be to configure 2 of our routed IPs (192.168.200.1 and 192.168.200.2) on each of the ASAs for the failover. The 3750, in the extent that is acting as our edge router, would have our colo provided customer IP (10.100.200.202) and would also represent our single point of failure.
The issue that we hit, as we started to draw out the traffic path decision tree was that we essentially needed the 3750 to have 2 default routes, one for traffic coming in from the internal network — default route to the firewall — and one for the traffic coming in from the ASA — default route out the colo provider connection.
Is there any way to accomplish failover ASAs using publicly routed IPs using a single Cisco 3750 as the only path out of the ASA? I know I could do it all with a router (which would become my SPOF), but I don't have one handy, and I'm not extremely keen on purchasing one.
Best Answer
I've been writing up a (very) long answer, but I suddenly realized that it would eat away your entire allocated subnet in routing networks.
May I ask why you're not doing this?:
Even if you have to connect the ASA via the 3750 because of fibre conversion - it doesnt matter. This is a line-speed switch, the latency is nearly impossible to notice.
Edit: Why do you want the 3750 as a router? You only have one network.