Re: ASA active/active?

Hi Joe /Marc /Thomas

There are two sites

The servers are hosted environments and I am not allowed to run dynamic on the ASA's already checked :/

So it leaves me kind of stumped, there is a VPN between the sites that PE is responsible for where I will start using EBGP I run iBGP between the L2 trunk but I need to send the PE ip traffic to the ASA's so I almost have to use statics from the CE then redis these into BGP..?

I'm trying to lab this but problem I'll have is Site 2 will have traffic come into the CE>go over the trunk>ASA site 1> destination if it is active/standby?

If its active/active do I run two contexts ctx1 Site1 is active & ctx2 Site2 is active? Then point the default route into the switches HSRP VIP address for server forwarding, what would the return path from the server be? I will have to use default on the switch or run IGP here?

I really need the ASA virtual ip to be the same for things to work, I read somewhere contexts can share the same VIP

Thanks for your advice, I'm losing sleep over this

--
BR
Tony
Sent from my iPhone on 3
On 22 Dec 2012, at 07:30, Thomas Perrier <thomas_at_perrier.name> wrote:
> Joseph,
> 
> On Sat, Dec 22, 2012 at 1:13 AM, Joseph L. Brunner
> <joe_at_affirmedsystems.com> wrote:
> 
>> If 1 physical site and multiple destination "web sites" behind a single pair of asa's then you have to remember - active/active mode requires multiple security contexts - so then you can aim static routes (the only routes supported in multicontext mode) at the asa's
> 
> Since version 9.0, the ASA supports dynamic routing protocols in
> multicontext mode. And site-to-site VPN too, BTW. Lots of good stuff
> in this release.
> 
> -Thomas
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net