Questions

Designing fully redundant secure DMZ question

Tags:
+
0 Votes
Locked

Designing fully redundant secure DMZ question

paul.duffany
Hi,
I am tasked with designing an active/standby ASA environment.
For the security appliances and the Dirty DMZ configuration I have what I believe to be a good design, however, for the secure DMZ I have challenges.

For instance, in a single DMZ connected to the active/standby appliances, how can I make that DMZ redundant. Cisco docs show two switches that are trunked together and connected to their respective firewalls, the servers are dual homed with a connection to each DMZ switch.
However, if the switch connected to the active firewall fails, I see no way for the Servers in the DMZ to remain in service.

What is the solution for a fully redundant DMZ?
  • +
    0 Votes
    robo_dev

    If the primary router/firewall loses it's internal interface (like if switch failed), then it should failover to the secondary router/firewall, which should have a valid internal interface route/connection. Failover should be triggered by failure of either the external or internal interfaces.

    http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml

    +
    0 Votes
    Deadly Ernest

    when I did it required four routers / switches, two in parallel at each end of the DMZ with a unit monitoring each end and ready to switch between them if something went wrong, and everything was duplicated within the zone but on two separate comms lines - one from each of the front end router / switches to the back end router / switches. The monitoring units checked that both sides were regularly updated as well. They probably do it all different now days with special devices that do half of it for you. But I'm sure the basics are the same, design a dmz and duplicate. I have seen some where they only had one router / switch at each end.

    +
    0 Votes
    paul.duffany

    I will lab the environment and let you know if the failure of the dmz switch connected to the primary switch invokes failover to the standby unit.

    Thanks again,
    Paul

    +
    0 Votes
    CG IT

    if an interface goes down, then the router will update their routing tables and then notify all neighbor routers of the failed interface. As long as there is another route to the same destination, all routers will use the new route. Thus you have redundancy. [mesh topology] STP on switches ensures there's no loops in the network, so when the interface goes down, the switches are also aware and the redundant link that STP blocked, becomes unblocked. Note: convergence is going to make down time a tad long for users but ....

    +
    0 Votes
    paul.duffany

    I found that the PIX does "watch" the DMZ interfaces and failover correctly when a DMZ switch goes down, providing thorough failover for this environment.

    Thank you for your assistance,
    Paul

    +
    0 Votes
    paul.duffany

    I found that the PIX does "watch" the DMZ interfaces and failover correctly when a DMZ switch goes down, providing thorough failover for this environment.

    Thank you for your assistance,
    Paul

    +
    0 Votes
    chichoo85

    Hello Paul,

    I also want to carry out the same setup as what you have done, i will appreciate if you can put me through in achieving redundancy for the two dmz switches>Two ASA firewalls primary connected to one dmz switch the standy to the other swicth both switch have trunks links.Please assist. the goal is to achieve seamless failover should incase the any of the firewalls go down. thank you

    +
    0 Votes
    -gargravarr-

    What about a pair of stacked 3750's (other stackable switches are available) same Interface on each ASA interface into alternative switch.
    Failover clustering must be enabled on the ASA. "sh ver"
    Failover : Active/Active perpetual
    Both ASA's need to be running the same version of code.
    vlan for outside (untagged no ip address)
    vlan for inside (untagged no ip address)
    vlan for DMZ (untagged no ip address)
    vlan for management
    you can specify which interfaces are "monitored" for failover with
    "no monitor-interface" interface name, in the example "Unused"
    This host: primary - Active
    Interface DMZ : Normal (Monitored)
    Interface Unused: No Link (Not Monitored)
    Interface management : Normal (Monitored)

  • +
    0 Votes
    robo_dev

    If the primary router/firewall loses it's internal interface (like if switch failed), then it should failover to the secondary router/firewall, which should have a valid internal interface route/connection. Failover should be triggered by failure of either the external or internal interfaces.

    http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009487d.shtml

    +
    0 Votes
    Deadly Ernest

    when I did it required four routers / switches, two in parallel at each end of the DMZ with a unit monitoring each end and ready to switch between them if something went wrong, and everything was duplicated within the zone but on two separate comms lines - one from each of the front end router / switches to the back end router / switches. The monitoring units checked that both sides were regularly updated as well. They probably do it all different now days with special devices that do half of it for you. But I'm sure the basics are the same, design a dmz and duplicate. I have seen some where they only had one router / switch at each end.

    +
    0 Votes
    paul.duffany

    I will lab the environment and let you know if the failure of the dmz switch connected to the primary switch invokes failover to the standby unit.

    Thanks again,
    Paul

    +
    0 Votes
    CG IT

    if an interface goes down, then the router will update their routing tables and then notify all neighbor routers of the failed interface. As long as there is another route to the same destination, all routers will use the new route. Thus you have redundancy. [mesh topology] STP on switches ensures there's no loops in the network, so when the interface goes down, the switches are also aware and the redundant link that STP blocked, becomes unblocked. Note: convergence is going to make down time a tad long for users but ....

    +
    0 Votes
    paul.duffany

    I found that the PIX does "watch" the DMZ interfaces and failover correctly when a DMZ switch goes down, providing thorough failover for this environment.

    Thank you for your assistance,
    Paul

    +
    0 Votes
    paul.duffany

    I found that the PIX does "watch" the DMZ interfaces and failover correctly when a DMZ switch goes down, providing thorough failover for this environment.

    Thank you for your assistance,
    Paul

    +
    0 Votes
    chichoo85

    Hello Paul,

    I also want to carry out the same setup as what you have done, i will appreciate if you can put me through in achieving redundancy for the two dmz switches>Two ASA firewalls primary connected to one dmz switch the standy to the other swicth both switch have trunks links.Please assist. the goal is to achieve seamless failover should incase the any of the firewalls go down. thank you

    +
    0 Votes
    -gargravarr-

    What about a pair of stacked 3750's (other stackable switches are available) same Interface on each ASA interface into alternative switch.
    Failover clustering must be enabled on the ASA. "sh ver"
    Failover : Active/Active perpetual
    Both ASA's need to be running the same version of code.
    vlan for outside (untagged no ip address)
    vlan for inside (untagged no ip address)
    vlan for DMZ (untagged no ip address)
    vlan for management
    you can specify which interfaces are "monitored" for failover with
    "no monitor-interface" interface name, in the example "Unused"
    This host: primary - Active
    Interface DMZ : Normal (Monitored)
    Interface Unused: No Link (Not Monitored)
    Interface management : Normal (Monitored)