Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA capability question

I have an ASA 5505.

Primary ISP is a T1.

Secondary ISP is a Cable connection.

I remember reading that a PIX was able to do a failover type setup with this setup. Setting up a timer that would ping a destination, and if that IP stopped responding it would inject the Secondary ISP's route.

Is this possible with this ASA 5505?

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: ASA capability question

Hi Scott,

Yes -- as far as I know, this should be possible with the ASA 5505. The feature you are looking for is called Static Route Tracking.

See these two pages:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1090243

One difference you should see on the 5505 from the other 5500 models is that you are using VLAN interfaces instead of physical interfaces. You just assign the physical switch ports to be members of the seperate VLAN's.

Good luck!

--Brandon

8 REPLIES
Bronze

Re: ASA capability question

Hi Scott,

Yes -- as far as I know, this should be possible with the ASA 5505. The feature you are looking for is called Static Route Tracking.

See these two pages:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1090243

One difference you should see on the 5505 from the other 5500 models is that you are using VLAN interfaces instead of physical interfaces. You just assign the physical switch ports to be members of the seperate VLAN's.

Good luck!

--Brandon

Community Member

Re: ASA capability question

Thanks Brandon,

Just one clarification question. Perhaps I should have mentioned this in original post:

I found this conversation in regards to Failover/DualWAN on this 5505:

"First we need to understand some limitations of our devices. The ASA5505 can only perform Active/Standby failover and not Active/Active. If you need that, you will have to look at a higher range device. Also they can only perform LAN-Based Failover (as opposed to old pixes that can use cable based failover) and they don't support Stateful Failover (meaning all active connections will be lost after a failover event). Also both units must have the same hardware, software configuration, and proper license and run in same mode (single or multiple, transparent or routed)."

Does this affect my goal? This 5055 should support my goal setup, correct?

Bronze

Re: ASA capability question

Scott, Active/Standby or Active/Active is referring to device redundancy. Since the 5505 doesn't support multiple contexts, the best you could do is stateless-failover with a standby 5505. Of course, that also means you'd have to have the Security Plus license for your 5505, as the base license doesn't support stateless Active/Standby.

You should still be able to implement the static route tracking feature.

--Brandon

Community Member

Re: ASA capability question

Thanks again Brandon.

Below is the output of my "show version" on the questioned ASA5505. I created Vlan3 to be the "backup" but when I do "nameif backup" it gives me a licensing error.

Which license do I need to purchase in order to nameif this Vlan and be able to implement the State Route Tracking feature? Also, should I be worried about this "no forward" command requirement?

Thanks again.

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 50

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

ciscoasa(config-if)# nameif backup

ERROR: This license does not allow configuring more than 2 interfaces with

nameif and without a "no forward" command on this interface or on 1 interface(s)

with nameif already configured.

Bronze

Re: ASA capability question

It looks like you have the base license. If you had the Security Plus license, you should see "VLANs: 20" and "Failover: Enabled"

Community Member

Re: ASA capability question

Okay,

I'm sorry to seem like I'm going in circles, but I would like to clarify before I tell a client to spend $595 on this Security Plus license.

I have a T-1 (1.1.1.10 WAN)

I have a Cable connection (2.2.2.10 WAN)

I have an ASA5505 (192.168.1.1 LAN)

If we purchase the Security Plus license, I will be able to implement the "route tracking" feature. This will track the T-1 connections primary route, and in the case of it going down, this feature will then inject the Cable connection's primary route as the "ip route".

This will act as an ISP failover. If our T-1 goes down, the ASA (and therefore, the client), will still be online through the Cable connection.

Is this correct?

Community Member

Re: ASA capability question

Yes that's correct.

Gold

Re: ASA capability question

239
Views
5
Helpful
8
Replies
CreatePlease to create content