I have put in place SLA monitor on 2 firewalls.
Each Firewall are independant, there is on both 1 server placed into a dedicated DMZ.
They communicate by VPN on Internet, so there is static(dmz,outside), access-list configure beetween DMZ and Internet.
When Internet connexion is no more available, SLA switch routing to inside interface (on both firewalls) and connexions are Re-established ....
That works perfectly .. but my question is HOW that can works ?? there no static (inside,dmz) configuration, servers are not allowed to iniate connexion to inside interface...
is there any answer to that? perhaps SLA monitor add implicit rules or configuration on firewall.
no i don't think there are any implicit rules
maybe an ACL is there that is permitting traffic to the inside, static commands are no longer required (no nat-control is the default).
Hope this helps