ISP Failover with Cisco ASA
-
I have an older Cisco ASA at a site that is interested in possibly getting a second ISP after some downtime with the main line and we are wondering if the Cisco ASA can handle a failover line like that. I am pretty sure that it cannot do load balancing. But just failover seems like it would. Has anyone does this? Does it work? If so, does it work well?
-
Wouldn't you just need to use BGP?
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118050-config-bgp-00.html -
If it's something like ASA5505 or 5510 you can do WAN failover but you need the right license. Security+ I think.
-
All ASA 5500 series are EOL though so I don't think you can (or should) upgrade the license on them..
-
@Pete-S said in ISP Failover with Cisco ASA:
All ASA 5500 series are EOL though so I don't think you can (or should) upgrade the license on them..
Very good point. I'd love if this was the excuse to replace them.
-
You can do so if they have Cisco ADSM version 7.x or up
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html -
Use Peplink: https://www.peplink.com/products/balance/
Prior to others getting involved, we used a balance 380 in front of our ASA to provide WAN (Internet in our case) redundancy/failover. It did NOT require us to change external IP addresses and worked rather flawlessly. You could also use it to actually replace the ASA if said Crapco product is due for replacement. -
A Ubiquiti will replace an ASA as well. For just failover, it works just fine. Both EdgeRouter and Unifi USG lines will do that.
-
@scottalanmiller said in ISP Failover with Cisco ASA:
A Ubiquiti will replace an ASA as well. For just failover, it works just fine. Both EdgeRouter and Unifi USG lines will do that.
For the savings, you could get 2 (and then some) and have redundancy there, as well.
-
@wrx7m said in ISP Failover with Cisco ASA:
@scottalanmiller said in ISP Failover with Cisco ASA:
A Ubiquiti will replace an ASA as well. For just failover, it works just fine. Both EdgeRouter and Unifi USG lines will do that.
For the savings, you could get 2 (and then some) and have redundancy there, as well.
Yeah, and way faster failover than waiting for Cisco to ship you parts or a tech.
-
@jt1001001 said in ISP Failover with Cisco ASA:
Use Peplink: https://www.peplink.com/products/balance/
Prior to others getting involved, we used a balance 380 in front of our ASA to provide WAN (Internet in our case) redundancy/failover. It did NOT require us to change external IP addresses and worked rather flawlessly. You could also use it to actually replace the ASA if said Crapco product is due for replacement.I have always wanted to deploy peplink. I just can't get a decent and affordable backup WAN link at my location. We only got dedicated fiber here about 2 years ago.
-
@Pete-S said in ISP Failover with Cisco ASA:
All ASA 5500 series are EOL though so I don't think you can (or should) upgrade the license on them..
Those things are still rock solid though, and with the 5 figure prices on the newer series, plenty of businesser prefer not to upgrade
-
@dyasny said in ISP Failover with Cisco ASA:
@Pete-S said in ISP Failover with Cisco ASA:
All ASA 5500 series are EOL though so I don't think you can (or should) upgrade the license on them..
Those things are still rock solid though, and with the 5 figure prices on the newer series, plenty of businesser prefer not to upgrade
Except "rock solid" compared to a few hundred dollars for more modern, faster gear from non-Cisco. Support for an ASA costs more than just upgrading to a better product.
-
@scottalanmiller said in ISP Failover with Cisco ASA:
Except "rock solid" compared to a few hundred dollars for more modern, faster gear from non-Cisco. Support for an ASA costs more than just upgrading to a better product.
I'm not enough of a network specialist to go into the cisco vs $insertNameHere debate. But I've built several datacenters in the past decade, and the ones where there was NEVER any problem with the firewalls was the ones where the customer paid for the Cisco kit. The same goes for switches btw. Other have used meraki, ubiquiti, dell/sonicwall and even fortinets, there were always hardware problems after a while. The Cisco based DCs just kept working. They also cost much more, so it's really a matter of calculating the TCOs properly.
-
@dyasny said in ISP Failover with Cisco ASA:
Other have used meraki
Meraki is actually a mid-level Cisco router. If you see problems on Meraki (and we all do), you are seeing Cisco issues. Cisco makes higher and lower level stuff under the Cisco brand. And a very specific range under the Cisco Meraki brand.
-
@dyasny said in ISP Failover with Cisco ASA:
But I've built several datacenters in the past decade, and the ones where there was NEVER any problem with the firewalls was the ones where the customer paid for the Cisco kit.
I'd say we see it about equal to everything else that's decent. The biggest problem with it is the price and performance. It's terrible on both counts. And the cost is so bad that it causes support issues (you can simply pay for spare Ubiquiti gear cheaper than you can support Cisco gear) so you actually tend to get way better "support" from Ubiquiti for less money.
SonicWall is obviously garbage, that's a brand made just for resellers. So discount that. Beyond that, we see them all have issues, and all be decently solid when treated well. Cisco has a bit more of a reputation for quality of support people, but less of a reputation for performance. But as of late, Cisco's security posture has become a bit infamous and using them as a firewall is a bit... questionable.
-
@scottalanmiller said in ISP Failover with Cisco ASA:
Meraki is actually a mid-level Cisco router. If you see problems on Meraki (and we all do), you are seeing Cisco issues. Cisco makes higher and lower level stuff under the Cisco brand. And a very specific range under the Cisco Meraki brand.
There's a reason I say meraki (or linksys) and not cisco. Those may have been companies acquired by Cisco, but it's not the same tech, and I do not consider it real cisco
-
@scottalanmiller I can only relate to my own experience with them, and while it's not as significant as my experience with server hw or opensource virt stuff, I've gone through several hundred units of various vendors over the years. My experience with cisco has always been good. My experience with Juniper was pretty much on par. The same goes for checkpoint. The rest... not so great.
When I do a consulting gig building a DC, I always try to balance budget oriented solutions with hardware that is not going to be problematic. So when the client can afford cisco, we take it. When not, well, we look for solutions.
-
@dyasny said in ISP Failover with Cisco ASA:
There's a reason I say meraki (or linksys) and not cisco. Those may have been companies acquired by Cisco, but it's not the same tech, and I do not consider it real cisco
That's mostly true. But Cisco considers it real Cisco and it shows their view of themselves. And that, I always think, is important. Cisco doesn't seem themselves as an enterprise player. And I've been in sales meetings with Cisco and that definitely comes through when talking to them.
-
@dyasny said in ISP Failover with Cisco ASA:
My experience with Juniper was pretty much on par. The same goes for checkpoint.
Much more limited on Juniper, but yes, always good.
