TWO ISPs - One ASA

Unanswered Question
Jun 29th, 2007
User Badges:

Hi. I am not 100% sure this is the best forum for this question but here goes... Two ISPs are connected to two interfaces on our ASA 5550. G0/0 = ISP1 and G1/0 = ISP2. How should failover best be approached? I was told active / active via multiple contexts using the ASA but from ONE ASA, can't I simply have BACKUP routes that TRACK somehow? That's my question. Can anyone help me with this? THANKS!!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
vitripat Fri, 06/29/2007 - 13:35
User Badges:
  • Gold, 750 points or more

You need to configure your firewall with ISP failback which was introduced in 7.2.1 code.


In order to configure this we can use following steps:

Failback of ISP works using a new feature called "Static Route Tracking".

The main problem with defining two default static routes with different AD was:

- How to determine if the route with lower AD has failed ??

- The route with lower AD will only be used if the associated interface goes down itself.

Thus, in order to make sure that the current static route is functional we needed something for monitoring

the connectivity using this route.

ICMP was used for this. With Static Route Tracking configured, PIX keeps a check on the static route

using echo-request messages.

When monitoring of a particular route fails, it is removed from the routing table and a previously configured

backup route is used in place of the removed route. A backup route can be another default route with a

higher metric than the existing one.

Following commands can be used for ISP failback:

--> pixfirewall(config)# sla monitor 20

(20 is only a ID here. Valid values are from 1 to 2147483647.)

--> pixfirewall (config-sla-monitor)# type echo protocol ipIcmpEcho 192.168.1.1 interface outside

192.168.1.1 - This is my target IP on which PIX will keep a check. There are options available

on this, but its on your discreation on what you want to keep a check on. For eg:

- We can set PIX to keep a check on some host outside which is accessible via existing static default

route I'm checking.

--> pixfirewall(config)# sla monitor schedule 20 life forever start-time now

- Above command is telling PIX to start monitoring on "sla-id 20" now (start-time now) and

continue monitoring forever (life forever).

Next, I create a "Track ID" to associate a static route entry with the SLA monitoring process.

--> pixfirewall(config)# track 200 rtr 20 reachability

(200 is the Track_id and 20 is the sla-id)

Now we will use above "TRACK" to track a static route on PIX and make sure that the static route is

working fine. This is done using following command:

--> pixfirewall(config)# route outside 0 0 192.168.1.1 1 track 200

How will above work ?

PIX will see that a "Track ID" is associated with the static route. PIX will check the TRACK which is supposed to

track the static route as defined in "SLA", here sla-id (20).

The SLA says to monitor forever and start monitoring as soon as SLA is created and the target it will monitor

through the static route is defined above as "192.168.1.1". This was done in the following command.

--> pixfirewall (config-sla-monitor)# type echo protocol ipIcmpEcho 192.168.1.1 interface outside

To summarize:

In order to configure Static Route Tracking for a static route entered manually, following commands are

entered:

--> pixfirewall(config)# sla monitor 20

--> pixfirewall (config-sla-monitor)# type echo protocol ipIcmpEcho 192.168.1.1 interface outside

--> pixfirewall (config-sla-monitor)# exit

--> pixfirewall(config)# sla monitor schedule 20 life forever start-time now

--> pixfirewall(config)# track 200 rtr 20 reachability

--> pixfirewall(config)# route outside 0 0 192.168.1.1 1 track 200

Hope this helps.


Regards,

Vibhor.

netsec123 Fri, 06/29/2007 - 16:00
User Badges:

Thank you - BOTH of you -- This was EXACTLY what I needed. What spawned this issue is that when a failover occurs, will a backup MX record suffice [which is already in place]? Then the idea of multiple contexts came up so we could do active-active on the two units. Finally, with all backup routes and tunnels configured, I guess I would not need BGP... I know the next question would be load balancing. What do you guys think about that piece? You are VERY helpful with this and I greatly appreciate it!!!!

Actions

This Discussion