Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
10
Helpful
3
Replies

TWO ISPs - One ASA

netsec123
Level 1
Level 1

‎06-29-2007 01:30 PM - edited ‎03-11-2019 03:37 AM

Hi. I am not 100% sure this is the best forum for this question but here goes... Two ISPs are connected to two interfaces on our ASA 5550. G0/0 = ISP1 and G1/0 = ISP2. How should failover best be approached? I was told active / active via multiple contexts using the ASA but from ONE ASA, can't I simply have BACKUP routes that TRACK somehow? That's my question. Can anyone help me with this? THANKS!!!

Labels:
0 Helpful
3 Replies 3

vitripat
Level 7
Level 7

‎06-29-2007 01:35 PM

You need to configure your firewall with ISP failback which was introduced in 7.2.1 code.

In order to configure this we can use following steps:

Failback of ISP works using a new feature called "Static Route Tracking".

The main problem with defining two default static routes with different AD was:

- How to determine if the route with lower AD has failed ??

- The route with lower AD will only be used if the associated interface goes down itself.

Thus, in order to make sure that the current static route is functional we needed something for monitoring

the connectivity using this route.

ICMP was used for this. With Static Route Tracking configured, PIX keeps a check on the static route

using echo-request messages.

When monitoring of a particular route fails, it is removed from the routing table and a previously configured

backup route is used in place of the removed route. A backup route can be another default route with a

higher metric than the existing one.

Following commands can be used for ISP failback:

--> pixfirewall(config)# sla monitor 20

(20 is only a ID here. Valid values are from 1 to 2147483647.)

--> pixfirewall (config-sla-monitor)# type echo protocol ipIcmpEcho 192.168.1.1 interface outside

192.168.1.1 - This is my target IP on which PIX will keep a check. There are options available

on this, but its on your discreation on what you want to keep a check on. For eg:

- We can set PIX to keep a check on some host outside which is accessible via existing static default

route I'm checking.

--> pixfirewall(config)# sla monitor schedule 20 life forever start-time now

- Above command is telling PIX to start monitoring on "sla-id 20" now (start-time now) and

continue monitoring forever (life forever).

Next, I create a "Track ID" to associate a static route entry with the SLA monitoring process.

--> pixfirewall(config)# track 200 rtr 20 reachability

(200 is the Track_id and 20 is the sla-id)

Now we will use above "TRACK" to track a static route on PIX and make sure that the static route is

working fine. This is done using following command:

--> pixfirewall(config)# route outside 0 0 192.168.1.1 1 track 200

How will above work ?

PIX will see that a "Track ID" is associated with the static route. PIX will check the TRACK which is supposed to

track the static route as defined in "SLA", here sla-id (20).

The SLA says to monitor forever and start monitoring as soon as SLA is created and the target it will monitor

through the static route is defined above as "192.168.1.1". This was done in the following command.

--> pixfirewall (config-sla-monitor)# type echo protocol ipIcmpEcho 192.168.1.1 interface outside

To summarize:

In order to configure Static Route Tracking for a static route entered manually, following commands are

entered:

--> pixfirewall(config)# sla monitor 20

--> pixfirewall (config-sla-monitor)# type echo protocol ipIcmpEcho 192.168.1.1 interface outside

--> pixfirewall (config-sla-monitor)# exit

--> pixfirewall(config)# sla monitor schedule 20 life forever start-time now

--> pixfirewall(config)# track 200 rtr 20 reachability

--> pixfirewall(config)# route outside 0 0 192.168.1.1 1 track 200

Hope this helps.

Regards,

Vibhor.

acomiskey
Level 10
Level 10

‎06-29-2007 01:36 PM

Yes, you can create an object track on the asa and a floating static route, here is the doc that will walk you through it...

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Please rate helpful posts.

netsec123
Level 1
Level 1
In response to acomiskey

‎06-29-2007 04:00 PM

Thank you - BOTH of you -- This was EXACTLY what I needed. What spawned this issue is that when a failover occurs, will a backup MX record suffice [which is already in place]? Then the idea of multiple contexts came up so we could do active-active on the two units. Finally, with all backup routes and tunnels configured, I guess I would not need BGP... I know the next question would be load balancing. What do you guys think about that piece? You are VERY helpful with this and I greatly appreciate it!!!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card