ASA route tracking & backup ACL

Unanswered Question
Sep 1st, 2009
User Badges:

I have an ASA 5505 with a T1 (outside, 1.1.1.1) as the primary route, then a DSL line (backup, 2.2.2.2) as secondary, all with LAN (inside, 192.168.1.1).


Right now it successfully injects the backup route if the outside goes down, then switches back over when the T1 comes back up. This is working fine.


My problem is that I have an Exchange Server (192.168.1.5, 192.168.1.6 secondary IP) living on the LAN and I need to be able to send/receive email traffic while the backup route is in place.


Another problem is that while I have multiple static IP's on the T1 side, I only have one on the DSL side.


I just created an access-list for the backup and put it in place. I'm going to show a couples lines of the config. Could someone please tell me if I have it correct?


access-list mainacl extended permit tcp any host 1.1.1.2 eq smtp

access-list backupacl extended permit tcp any host 2.2.2.2 eq smtp


static (inside,outside) 1.1.1.2 192.168.1.5 netmask 255.255.255.255

static (inside,backup) tcp interface smtp 192.168.1.6 smtp netmask 255.255.255.255


access-group mainacl in interface outside

access-group backupacl in interface backup




This is a live ASA so I haven't tested it yet. But assuming the T1 (outside) goes down and the DSL (backup) becomes live, should the above ACL kick in and all should work?


If so then I can adjust our hosted mail security to use the failover, also.


Thanks for any help or tips

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Collin Clark Tue, 09/01/2009 - 12:02
User Badges:
  • Purple, 4500 points or more

Your ACLs and statics look good. The biggest problem is with DNS/MX records.


Hope it helps.

scott.bridges Wed, 09/02/2009 - 07:02
User Badges:

Great. I was pretty sure the ACLs were correct, my worry was if this was possible.


I'm not sure of the mechanics of route tracking and if the backupacl would be valid if a different default route was injected.


So this setup sounds plausible? 'outside' goes down, 'backup' goes up, SMTP traffic still able to get through?


That's the goal.



Thanks

Collin Clark Wed, 09/02/2009 - 07:08
User Badges:
  • Purple, 4500 points or more

Yup, if everything is configured correctly :-)

Actions

This Discussion