I have a scenario where I need to make the web server highly available if 1 internet link is down. The traffic should be diverted to the 2nd internet link. I have already spoken to my ISP to add one more public to the already available host entry. I have attached a jpg for basic understanding. Is there a way this thing can be accomplished.
Does the second ASA even have a connection to the server subnet ie it is not shown in your diagram.
Are the ISP connections to two different ISPs ?
If so the issue is inbound trafic. If you use two different public IPs for the same server you would have to publish those IPs into DNS. DNS would then round robin between them which is not what you want. Even if you did accept that, if the link to ISP1 fails then DNS has no way of knowing that address is no longer available and so continues to use it as well as the other one.
What you really need is to be able to advertise the same public IP to both ISPs but the ISP who does not own this block might not want to do that. But that still doesn't solve your problem because even if they did both links are then used which is not what you want.
If you peered with the ISP using BGP you could influence which route to take and make the primary connection preferred unless it went down but looking at your diagram i don't think you are using BGP.
So i'm not sure the issue is so much with the ASAs as the addressing and ISPs together with the route you want traffic to take ie. primary if it is up and secondary if it is not.
So can you clarify -
1) are they two different ISPs
2) are you using BGP to peer with them
3) will the second ISP agree to advetising the first ISPs addresses.
I am assuming that your addressing is not provider independant.
If you are using two different IPs then you have the DNS issue i outlined in my previous post. It's not clear what ISP2 has agreed to ie. are the two addresses from the same ISP ie. ISP1 or are you saying that the orginal IP (10.10.10.1) will be advertised out of ISP2.
ISPs generally don't advertise host routes. Apologies for more questions but just to clarify -
1) which ISP owns 10.10.10.x addressing
2) which ISP owns 20.20.20.x addressing
3) what exactly has ISP2 agreed to
If ISP2 has agreed to advertise the 10.10.10.x addressing then because your ASAs are separate you could actually just use the 10.10.10.x address and have NAT statements on both ASAs for the same translation as they don't see each other. But the links would still both be used unless you can use BGP to prefer the primary link for that IP.
Additionally the web server would only have one default gateway so with the second ASA you would have to NAT all incoming source IPs to another IP (or subnet) and then have a route on the web server to send the traffic back to the second ASA.
ISP2 would have to advertise out the 10.10.10.x addressing for this to work and even then it wouldn't do as you wanted.
You want only use ISP2 address if the ISP1 link fails, The problems with this just to clarify are -
1) two DNS entries means that each link would be used at the same time. If one of the links fails DNS has no way of knowing this so it still hands out the failed address to DNS queries from internet clients. So half the connections would fail.
2) If you could get ISP2 to advertise your 10.10.10.x addressing you could use the same IP on both ASA devices and only have one DNS entry for the web server. Even then both links could be used.
The only way to make this work as you want really is to have ISP2 agree to advertise out ISP1s address range. You would also need ISP1 to advertise that specific subnet rather than include it in a summarised range which is what ISP do when they advertise further upstream. You then use BGP to advertise 10.10.10.x to both ISPs but you modify the attributes of the route advertised to ISP2 so that ISP1 is preferred unless the ISP1 link fails and then the route via ISP2 will be used.
Note, if ISP2 did advertise out the 10.10.10.x range but ISP1 only advertised a summary address which included that range then all all traffic would only use the ISP2 link which is definitely not what you want.
And that is quite a lot of extra configuration etc. even if you could get the ISPs to agree to it and if you could setup BGP.
So i don't think this is pratically possible for you.
I will have a reread of this and see if there is another approach and perhaps others on this forum can suggest other ways of doing this.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :