Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

configure dual isp for failover on asa 5505

guys,

how do you configure firewall when one of the isps is dynamic? primary internet is static and secondary internet is dynamic

i setup 3 vlans, 2 outside vlans and 1 inside vlan. i specify route command for the outside vlan with the track, but i don't know how to setup route command for the dynamic ip. i also configure sla command. whenever the primay is not connected the secondary doesn't work, but i have no problem if connecting directly to with laptop.

let me know your thoughts.

thank you in advanced guys.

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

configure dual isp for failover on asa 5505

Can you do something like this:

sla monitor 123

type echo protocol ipIcmpEcho 8.8.8.8 interface outside

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1 track 1

sla monitor 225

type echo protocol ipIcmpEcho 8.8.8.8 interface outsidebackup

num-packets 3

frequency 10

sla monitor schedule 225 life forever start-time now

track 2 rtr 225  reachability

interface Vlan3

nameif outsidebackup

dhcp client route track 2

dhcp client route distance 25

ip address dhcp setroute

configure dual isp for failover on asa 5505

Hello David,

Excellent, I did not tough about the DHCP client route option (Kudos to you )

Now, I would agree with your configuration except with the SLA 225.

I mean why would track the route through VLAN 3.

As soon as the ASA primary is back and running preemption will take place.

So the configuration you need as David suggested will be:

sla monitor 123

type echo protocol ipIcmpEcho 8.8.8.8 interface outside

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1 track 1

interface Vlan3

nameif outsidebackup

dhcp client route distance 25

ip address dhcp setroute

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
8 REPLIES

configure dual isp for failover on asa 5505

Hello Tedy,

They provide you dynamic IP address for the outside interface ? Is that what you are saying?

or are you saying that there IP is dynamic?? cause they will need to provide you with a defined gateway IP for this to work.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

configure dual isp for failover on asa 5505

Hi Julio,

Yes, they provide me with dynamic ip address. so it looks like this, I don't know how to make the route fail automatically since the second ISP is dynamic.

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

interface Vlan2

nameif outside

security-level 0

ip address 10.10.10.10 255.255.255.0

!

interface Vlan3

nameif outsidebackup

security-level 0

ip address dhcp setroute

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1 track 1

sla monitor 123

type echo protocol ipIcmpEcho 8.8.8.8 interface outsidebackup

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

Re: configure dual isp for failover on asa 5505

Hello Tedy,

The IP address you get is dynamic but can you talk to them about this implementation so they can let you know if it's possible to have the same default-gateway (their IP address) ??

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

configure dual isp for failover on asa 5505

Can you do something like this:

sla monitor 123

type echo protocol ipIcmpEcho 8.8.8.8 interface outside

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1 track 1

sla monitor 225

type echo protocol ipIcmpEcho 8.8.8.8 interface outsidebackup

num-packets 3

frequency 10

sla monitor schedule 225 life forever start-time now

track 2 rtr 225  reachability

interface Vlan3

nameif outsidebackup

dhcp client route track 2

dhcp client route distance 25

ip address dhcp setroute

configure dual isp for failover on asa 5505

Hello David,

Excellent, I did not tough about the DHCP client route option (Kudos to you )

Now, I would agree with your configuration except with the SLA 225.

I mean why would track the route through VLAN 3.

As soon as the ASA primary is back and running preemption will take place.

So the configuration you need as David suggested will be:

sla monitor 123

type echo protocol ipIcmpEcho 8.8.8.8 interface outside

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1 track 1

interface Vlan3

nameif outsidebackup

dhcp client route distance 25

ip address dhcp setroute

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: configure dual isp for failover on asa 5505

Good point.  I was thinking about a situation I worked on where I was using the dhcp address as a primary route out and then failed back to my static route.

New Member

configure dual isp for failover on asa 5505

David and Julio,

Thank you for both your inputs. I will try your approach.

configure dual isp for failover on asa 5505

Hello Tedy,

Excellent, in the mean time you can rate all of our answers,

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
442
Views
5
Helpful
8
Replies
CreatePlease login to create content