I was working on a project which involved with 2 routers which also act as a firewall. The reason for that is because someone want to replace a standalone Cisco PIX firewall with 2 x routers to improve the availability as well as security.
I really not sure who come up with this idea. It gave me enough headache during the implementation process. The challenges are :
– The zone base firewalls on the routers cannot work in a cluster mode like a Cisco ASA
– The multiple WAN interfaces with EIGRP/OSPF routing process will break the data throw direction
– A stateful failover cannot be setup.
To achieve this setup, I have use EEM script to detect HSRP syslog message for a failure and the EEM script to remove the routing process on the route which the link is failed and enable the routing process on the router that become active.
I have spent a lot of time to work out this “solution”. Provided I have to use the pre-selected hardware to reach the high availability requirement. I believe what I have done is good enough to meet the client’s expectation while they don’t need to buy new hardware. To be honest, they should really get a firewall instead of 2 3900 series routers to work as a firewall.