cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1048
Views
4
Helpful
4
Replies

Static Route Tracking and Setting Up Inbound Connectivity

david.nolan
Level 1
Level 1

So I'm setting up an ASA active/standby pair running 7.2.2. The desired configuration is to have two internal networks ("DMZ1" and "DMZ2" in this discussion) and two ISP connections ("Outside1" and "Outside2" in this discussion).

I've already read the "Redundant or Backup ISP Links Configuration Example" (located here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml ) and it seems pretty straight forward. The section that troubles me is:

"This configuration provides a relatively inexpensive way to ensure that outbound Internet access remains available to users behind the security appliance. As described in this document, this setup may not be suitable for inbound access to resources behind the security appliance. Advanced networking skills are required to achieve seamless inbound connections. These skills are not covered in this document."

Is there a way to make inbound connectivity work with two inbound connections setup like the example from the link above? From an inbound perspective, the ASA will be terminating VPN connectivity and doing some static translations to hosts on the "DMZ1" and "DMZ2" networks. The "Outside1" interface will be active unless it fails. I've got the tracking configured so that the default route moves to the "Outside2" interface if the primary connection fails. Is there any documentation on how to change the static translations and VPN setup to operate properly if this failover occurs?

Please let me know if I need to clarify any of my questions. Thanks,

d

1 Accepted Solution

Accepted Solutions

No problem.

NAT decisions are made after the routing for outbound packets. So it will match the NAT statement for the outbound interface that is being used.

Thanks,

Chad

View solution in original post

4 Replies 4

umedryk
Level 5
Level 5

static route tracking feature is applicable for PIX 500 series / ASA 5500 Series with software version 7.2(1) or later. For previous versions, the two Internet links need to be terminated on a router in front of the Security appliance, and redundancy needs to be configured on the router because route tracking is not available in these versions.

Use this feature for redundancy or backup purposes only. Outgoing traffic uses the primary Internet service provider (ISP) and then the secondary ISP, if the primary fails.

cpembleton
Level 4
Level 4

In example from the doc you would just have to duplicate your entries for the backup interface. Create your global, static NAT, ACL?s and VPN entries for the backup interface.

Static(inside, outside) 10.200.159.3 172.22.1.2 netmask 255.255.255.255

static (inside, backup) 10.250.250.2 172.22.1.2 netmask 255.255.255.255

Also, just duplicate your crypto map and apply it to the backup interface.

A better way would be to get 1 larger subnet and advertise out those routes via BGP out your Internet facing routers connections. That way you would always be using the same external IP?s. Connect that segment to a switch. Use something like HSRP then you would not need the route tracking (FYI? There is a bug in 7.2.2 where route tracking fails after failover to standby ASA bug CSCsd51407). Or use OSPF and send the default route or any other route to the ASA.

If you can?t do BGP or single subnet you could also move the NAT to the router level. Then the router would apply the NAT depending on the route it would take.

I find it better to keep the firewall as simple as possible. Move as much routing to the routers as you can.

Hope this helps!

Thanks,

Chad

Please rate if helpful!

Thanks for the reply Chad. I have a couple of questions about your response

>In example from the doc you would just have to duplicate your entries for the backup interface.

>Create your global, static NAT, ACL?s and VPN entries for the backup interface.

>Static(inside, outside) 10.200.159.3 172.22.1.2 netmask 255.255.255.255

>static (inside, backup) 10.250.250.2 172.22.1.2 netmask 255.255.255.255

So in this configuration, the ASA will use the static for the interface that it is sending traffic out? E.g. when the primary (outside) connection is working, it will use the (inside, outside) static, but if it fails over to the backup connection, it will use the (inside,backup) static. Is that correct? I guess it makes sense, but it didn't really click until I read what you wrote.

>A better way would be to get 1 larger subnet and advertise out those routes via BGP out your Internet

> facing routers connections. That way you would always be using the same external IP?s. Connect that

>segment to a switch. Use something like HSRP then you would not need the route tracking (FYI? There

>is a bug in 7.2.2 where route tracking fails after failover to standby ASA bug CSCsd51407). Or use

>OSPF and send the default route or any other route to the ASA.

In an ideal world that is what I would be doing, but I can't on this particular project. Thanks for the FYI on the bug.

No problem.

NAT decisions are made after the routing for outbound packets. So it will match the NAT statement for the outbound interface that is being used.

Thanks,

Chad

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: