ASA 5505 and IOS

sicuranzaj · ‎07-29-2010

I will be using an ASA on a customer site as a simple failover of an IOS based router mpls provider path. The ASA will have its own vpn tunnel path via a cable modem to the main HQ site for just one branch.

I wanted to automate the failover if the customer's branch router based wan circuit fails.

Does the ASA support HSRP/tracking or any other failover protocols between itself and another NON ASA device?

The docs do show support for failover and routing protocol options but no example with using an ASA and an IOS device as a single failover pair.

Any ideas are greatly appreciated.

August Ritchie · ‎07-29-2010

The ASA doesn't support HSRP, but it does support SLA monitoring for tracking using pings.

Here is an example document for configuring SLA monitoring for backup ISP configuration.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Nagaraja Thanthry · ‎07-29-2010

Hello,

While ASA cannot participate in HSRP kind of scenario, you could do the

following:

Step 1:

Configure the ASA as the default gateway for all the traffic

Step 2:

Connect the ASA and the router using a separate link

Step 3:

On the ASA, configure the router as default gateway with tracking option.

Step 4:

Configure a secondary route to same destinations through the ASA's outside

interface with lower metric.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration

_example09186a00806e880b.shtml

This way, the ASA will send all traffic to the Router as long as the router

is active and if the router goes, down forward the same traffic via the VPN

tunnel. Alternatively, if you have another L3 device on the inside, you

could make that as the default gateway for your entire network and then do

route tracking on that.

Hope this helps.

Regards,

NT