Fritzbox on redundant ASA Firewall
When I upgraded my internet connection to a 1000 MBit contract, my ISP provided a Fritzbox as cable modem to me. The old cable modem (in bridge mode) worked fine when I connected my two Cisco ASA firewalls into it.
The setup
The Fritzbox does not support bridge mode, therefore it was required to configure a so-called “exposed host”. The “exposed host” configuration was done for the port LAN2 and LAN3 and then I connected the WAN interface of ASA #1 to LAN2 and the WAN interface of ASA #2 to LAN3. Because the Fritzbox did not accept the IP address of the WAN interfaces of my ASA’s, I was forced to register something like a “PC-MAC” address of the ASA’s.
Stefan Thierolfhttps://creativecommons.org/licenses/by-nc-sa/4.0/https://thierolf.org/pages/impressum-imprint/The problem
The internet connection was working fine but when I tested the ASA failover, the internet was gone. After a long investigation I found out the following:
If ASA Primary fails, ASA Secondary should take over (That’s normal)
ASA Secondary inherits the MAC address via failover from ASA Primary (That’s normal)
During the phase of failover, the Fritzbox looses the “PC-MAC” for “exposed host” configuration (WTF?)
Because there is no more “exposed host” anymore (really, it’s gone), the internet connection is gone (WTF?)
Stefan Thierolfhttps://creativecommons.org/licenses/by-nc-sa/4.0/https://thierolf.org/pages/impressum-imprint/To login to the Fritzbox and reconfigure the “PC-MAC” for the so-called “exposed host” contradicts the high availability and failover function of the Cisco ASA Firewall.
The same behavior I saw on the Fritzbox when I switched over from ASA Secondary back to ASA Primary. It does not matter if the switch over is done by CLI command, disconnecting WAN or LAN port on ASA (both are configured for failover monitoring) or powering one ASA off.
Stefan Thierolfhttps://creativecommons.org/licenses/by-nc-sa/4.0/https://thierolf.org/pages/impressum-imprint/In addition I recognized that:
On Fritzbox LAN ports, there are no speed and no duplex settings. I prefer fixed settings for WAN connections (in Cisco terms: speed 1000/duplex full)
On Fritzbox, it’s not possible to set up a port channel or interface bonding
The solution
To solve this problem I realized that I must provide somehow a “PC-MAC” for the “exposed host” on the Fritzbox. I’m doing this by creating a port channel of interface Gi1/0/22 and Gi2/0/22 on my 3750G switch. The MAC address of the created Po interface should never change.
Because the Fritzbox “sees” now the MAC address of the Po interface on the switch, the “exposed host” configuration on the Fritzbox does not “get lost”.
Stefan Thierolfhttps://creativecommons.org/licenses/by-nc-sa/4.0/https://thierolf.org/pages/impressum-imprint/My working solution looks now like shown in this drawing. I did failover tests by using CLI command, disconnecting the patch cords and powered down one of the two ASA’s. In all three tests the internet connection via the so-called “exposed host” stays on.
Stefan Thierolfhttps://creativecommons.org/licenses/by-nc-sa/4.0/https://thierolf.org/pages/impressum-imprint/