How to setup Failover between ASA & PIX Firewall for Internet Traffic

Unanswered Question

Hello Experts,

I am looking for a solution to know on how to perform Failover between ASA & PIX Firewall for the Internet traffic .

Please find the scenario below-



Coreswitch ----------------- -------PIX 535Firewall ----------- ISP PIX FW ----ISP Router ----------ISP A Internet Cloud of 10MB

     |                                          |DMZ1      |ethernet4( dmz4)

     |              DMZ Switch --Proxy1/2        |

     |                192.168.1.x        |              |

     |                                         |gi 0/1      | gi 0/2

     |------------------------------ ----  ASA 5520Firewall---- Router ----------Directly connected to the ISP B of  20MB .

Here ISP A was palced with their own FW and Router  at our palced as they were the Sub ISP of another ISP and they follow this standard.

We have been using 20mb (ISP B) internet as our primary connection and looking forward to know how do the User internet traffic auto divert to

ISP A 10MB with the help of tracking or any other configuration beween ASA and PIX FW.

Note : all PCs access internet using Proxy connection which is placed at DMZ Zone .

We have two proxies configured with virtual IP and at one point of time only one Proxy can be active.

Both PIX eth4 is connected to ASA Gi 0/2 with 192.168.4.X ip range.

I just want to when Internet link goes down at ISP B all the internet traffic should auto divert to ISP A.

Appreciate all your posts and help.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
astripat Wed, 05/05/2010 - 13:08

Hi ,

You can configure ISP fallback as mentioned in the following link to accomplish the same:

You need to track the default route on the PIX and in the situation when it fails, the route should fallback to the default route pointing towards the dmz of the pix through which it is connected to the ASA.



Hello All,

I am attaching the visio diagram of my current setup.

At present my traffic is configured to go towards 20mb link and through ASA firewall .

ASA firewall connected gi 0/2 DMZ1  to PIX FW  eth0 inter ( DMZ4) .but both are currently not pinging.

Currently tracking is configured for primary link which goes towards 20mb link and i would like to have tracking to configured for secondary link 10mb link so that internet traffic should automatically divert in case of20mb primary link goes down.

What Global nat commands are required on both ASA and PIX FW and other commands required for this ssetup.

My another request is i am not able to setup Tacacs authentication on the 3820 with the below commands and tacacs working till ASA FW.

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login console none
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization network default group tacacs+
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

tacacs-server host single-connection key  7 XXXX

i am not able to ping the tacacs server .

Highly appreciate all your suggestions.




This Discussion