Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Dual ISP support with stateful failover

Hi,

Background - I have a ASA which is connected with 2 internet service providers. Both providers have their respective public IP addresses configured to two different physical interfaces. I NAT the Inside zone proxy to one of the provider interface for browsing purpose. 

Requirement - There should be a automatic switchover of proxy from one provider to another when the configured NAT provider fails.

I have gone through the following page http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

As per this configuration, what I understand is that users will have to reastablish the session because PAT address will change to that of backup interface  and rntries in state table will be of no use as diffrent global address will come into picture.

Is my understand correct? If it is correct what is a solution to this problem.

Also in real world if take 20.20.20.0/28 subnet from ISP1 can I use the IP's from same subnet to assign address to interface connecting to Backup ISP?

Sorry in advance if I am not clear with my question

Thanks in advance

Cheers

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Dual ISP support with stateful failover

Frist of all you can not use subnet provided by oneISP and routed by another. For this purpose only BGP comes which is not supported on ASA.

In link mentioned by you yes sessions need to re-establish once there is failure on primary link.

we have mentioned match any 0.0.0.0 from inside means whoever primary or backup is forwarding traffic with PAT will be using the interfce IP of ISP.

Thanks

Ajay

Hall of Fame Super Silver

Dual ISP support with stateful failover

To add to Ajay's correct posting - even if you had an external router to handle the BGP and the agreement from the provider who has assigned you your /28, you could not use the first provider's assigned netblock with a second provider since it is smaller than a /24 - the smallest allowed portable block.

If you were to acquire a provider-independent /24 assigned directly to you from your provider or RIR (ARIN, RIPE, APNIC, etc.) you could potentially use that (still requiring an external router). However it is unlikely that you could get a new one assigned since the /28 suffices for your hosts at this point.

As you describe it now, if you lose a provider, you will lose all your sessions, even under best practices and best possible configuration scenario.

One alternative may be to inquire about redundant service from your preferred provider. Depending on your location's service options, this may be possible. You would be to be diligent in ensuring that the redundancy is adequate to protect your connectivity (e.g., different upstream devices, diverse connections into your building, etc.) In such a service scenario, your provider may be able to retain your IP space and managing routing to you dynamically.

Hope this helps.

2 REPLIES

Dual ISP support with stateful failover

Frist of all you can not use subnet provided by oneISP and routed by another. For this purpose only BGP comes which is not supported on ASA.

In link mentioned by you yes sessions need to re-establish once there is failure on primary link.

we have mentioned match any 0.0.0.0 from inside means whoever primary or backup is forwarding traffic with PAT will be using the interfce IP of ISP.

Thanks

Ajay

Hall of Fame Super Silver

Dual ISP support with stateful failover

To add to Ajay's correct posting - even if you had an external router to handle the BGP and the agreement from the provider who has assigned you your /28, you could not use the first provider's assigned netblock with a second provider since it is smaller than a /24 - the smallest allowed portable block.

If you were to acquire a provider-independent /24 assigned directly to you from your provider or RIR (ARIN, RIPE, APNIC, etc.) you could potentially use that (still requiring an external router). However it is unlikely that you could get a new one assigned since the /28 suffices for your hosts at this point.

As you describe it now, if you lose a provider, you will lose all your sessions, even under best practices and best possible configuration scenario.

One alternative may be to inquire about redundant service from your preferred provider. Depending on your location's service options, this may be possible. You would be to be diligent in ensuring that the redundancy is adequate to protect your connectivity (e.g., different upstream devices, diverse connections into your building, etc.) In such a service scenario, your provider may be able to retain your IP space and managing routing to you dynamically.

Hope this helps.

727
Views
0
Helpful
2
Replies