Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 Redundancy

Hello Guys,

One of our clients has redundant ASA 5505's with a few switches. The ASA 5505s have a basic setup, outside ports, inside ports, dmz each on a different vlan, and failover is configured and working properly for both. The customer wants to bring a secondary ISP in for added redundancy. Based on the fact that failover uses the redundancy of the same network for the ASAs to talk on, what would be the best approach here.

Can I create 2 outside interfaces each with the different ISPs and if one ISP fails, the other one can pick up using like a type of SLA. Also, can I load balance traffic out the two or even choose which traffic may go out each line. For instance all internet traffic out one ISP and all VPN traffic out the other ISP.

Any thoughts would be greatly appreciated, and thanks so much in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

ASA 5505 Redundancy

John,

You can have the SLA Monitor and Failover at the same time, no special considerations.

Once this is configured, just stop monitoring on the outside interface for Failover:

- no monitor-interface outside

So if the outside link fails on primary ASA, no failover will happen but the ASA will switch to the secondary ISP.

Regards,

Felipe.

Remember to rate useful posts.

4 REPLIES
Bronze

ASA 5505 Redundancy

Hello John,

You can have dual ISP but must have the same configuration on both ASAs, meaning you cannot have one ISP on primary and the other on the secondary.

Because SLA Monitor and Failover are both for redundancy, the best practice is NOT to monitor the outside interface, since it will be tracked by the SLA(if outside fails then the backup takes over, if another interface fails then the entire ASA fails over).

The ASA does not support PBR (routing based on source), therefore you can only have one default route active at the time.

However for L2L VPN, you can configure static routes using the back link (for the peer IP and remote network).

Regards,

Felipe.

Remember to rate useful posts.

New Member

ASA 5505 Redundancy

Hi lcambron,

Thanks for the prompt response, and great details. What would be the best route to go about this. Primarily redundancy is the big factor. If one ISP fails we want the other one to take over. With the Two ASA 5505's which is the best way to handle this in your opinion?

Bronze

ASA 5505 Redundancy

John,

You can have the SLA Monitor and Failover at the same time, no special considerations.

Once this is configured, just stop monitoring on the outside interface for Failover:

- no monitor-interface outside

So if the outside link fails on primary ASA, no failover will happen but the ASA will switch to the secondary ISP.

Regards,

Felipe.

Remember to rate useful posts.

New Member

ASA 5505 Redundancy

thanks lcambron! I will let you know if I have any issues with this.

88
Views
5
Helpful
4
Replies