Static Route Tracking and Setting Up Inbound Connectivity
So I'm setting up an ASA active/standby pair running 7.2.2. The desired configuration is to have two internal networks ("DMZ1" and "DMZ2" in this discussion) and two ISP connections ("Outside1" and "Outside2" in this discussion).
"This configuration provides a relatively inexpensive way to ensure that outbound Internet access remains available to users behind the security appliance. As described in this document, this setup may not be suitable for inbound access to resources behind the security appliance. Advanced networking skills are required to achieve seamless inbound connections. These skills are not covered in this document."
Is there a way to make inbound connectivity work with two inbound connections setup like the example from the link above? From an inbound perspective, the ASA will be terminating VPN connectivity and doing some static translations to hosts on the "DMZ1" and "DMZ2" networks. The "Outside1" interface will be active unless it fails. I've got the tracking configured so that the default route moves to the "Outside2" interface if the primary connection fails. Is there any documentation on how to change the static translations and VPN setup to operate properly if this failover occurs?
Please let me know if I need to clarify any of my questions. Thanks,
Re: Static Route Tracking and Setting Up Inbound Connectivity
static route tracking feature is applicable for PIX 500 series / ASA 5500 Series with software version 7.2(1) or later. For previous versions, the two Internet links need to be terminated on a router in front of the Security appliance, and redundancy needs to be configured on the router because route tracking is not available in these versions.
Use this feature for redundancy or backup purposes only. Outgoing traffic uses the primary Internet service provider (ISP) and then the secondary ISP, if the primary fails.
Also, just duplicate your crypto map and apply it to the backup interface.
A better way would be to get 1 larger subnet and advertise out those routes via BGP out your Internet facing routers connections. That way you would always be using the same external IP?s. Connect that segment to a switch. Use something like HSRP then you would not need the route tracking (FYI? There is a bug in 7.2.2 where route tracking fails after failover to standby ASA bug CSCsd51407). Or use OSPF and send the default route or any other route to the ASA.
If you can?t do BGP or single subnet you could also move the NAT to the router level. Then the router would apply the NAT depending on the route it would take.
I find it better to keep the firewall as simple as possible. Move as much routing to the routers as you can.
So in this configuration, the ASA will use the static for the interface that it is sending traffic out? E.g. when the primary (outside) connection is working, it will use the (inside, outside) static, but if it fails over to the backup connection, it will use the (inside,backup) static. Is that correct? I guess it makes sense, but it didn't really click until I read what you wrote.
>A better way would be to get 1 larger subnet and advertise out those routes via BGP out your Internet
> facing routers connections. That way you would always be using the same external IP?s. Connect that
>segment to a switch. Use something like HSRP then you would not need the route tracking (FYI? There
>is a bug in 7.2.2 where route tracking fails after failover to standby ASA bug CSCsd51407). Or use
>OSPF and send the default route or any other route to the ASA.
In an ideal world that is what I would be doing, but I can't on this particular project. Thanks for the FYI on the bug.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...