Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2995
Views
0
Helpful
1
Comments

Configuring Redundancy Primary/Backup mode of internet links (ILL/PPPOE broadband) on Cisco ASA

Dilip Kumar Pandey
Level 1
Level 1

‎09-26-2010 11:43 PM - edited ‎03-08-2019 06:36 PM

I am posting an article for circuit redundancy used in working scenario.

Cisco ASA 5505 - Version 8.2(1).

ASA's three Fast Ethernet interfaces have been connected, each one for ISP1, ISP2 and customer LAN.

ASA is connected with two Internet circuits.

Primary as internet lease line (ILL) with static IP connected to ISP1.

Backup as PPPOE broadband with dynamic IP address connected to ISP2.

You can configure both circuits to work in Primary/backup mode using Cisco SLA monitor services and static route.

JETRO_Chennai.jpg

: Saved

:

ASA Version 8.2(1)

!

hostname ASA5505

enable password XXXXXX encrypted

passwd XXXXXXX encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 115.X.X.2 255.255.255.252

!

interface Vlan3

nameif bsnl-backup

security-level 1

pppoe client vpdn group BSNL_Backup

pppoe client route distance 200

ip address pppoe setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821-k8.bin

ftp mode passive

clock timezone IST 5 30

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object udp

service-object tcp

service-object tcp eq ftp

service-object tcp eq www

service-object tcp eq https

service-object tcp eq pop3

service-object tcp eq smtp

service-object tcp eq ssh

service-object udp eq www

service-object ip

service-object udp eq ntp

service-object icmp echo

service-object icmp echo-reply

service-object udp eq echo

service-object icmp traceroute

object-group service test

service-object ip

service-object icmp

service-object pim

service-object pcp

service-object snp

service-object udp

service-object igmp

service-object ipinip

service-object gre

service-object esp

service-object ah

service-object icmp6

service-object tcp

service-object eigrp

service-object ospf

service-object igrp

service-object nos

service-object icmp alternate-address

service-object icmp conversion-error

service-object icmp echo

service-object icmp echo-reply

service-object icmp information-reply

service-object icmp information-request

service-object icmp mask-reply

service-object icmp mask-request

service-object icmp mobile-redirect

service-object icmp parameter-problem

service-object icmp redirect

service-object icmp router-advertisement

service-object icmp router-solicitation

service-object icmp source-quench

service-object icmp time-exceeded

service-object icmp timestamp-reply

service-object icmp timestamp-request

service-object icmp traceroute

service-object icmp unreachable

service-object icmp6 echo

service-object icmp6 echo-reply

service-object icmp6 membership-query

service-object icmp6 membership-reduction

service-object icmp6 membership-report

service-object icmp6 neighbor-advertisement

service-object icmp6 neighbor-redirect

service-object icmp6 neighbor-solicitation

service-object icmp6 packet-too-big

service-object icmp6 parameter-problem

service-object icmp6 router-advertisement

service-object icmp6 router-renumbering

service-object icmp6 router-solicitation

service-object icmp6 time-exceeded

service-object icmp6 unreachable

service-object tcp-udp eq cifs

service-object tcp-udp eq discard

service-object tcp-udp eq domain

service-object tcp-udp eq echo

service-object tcp-udp eq www

service-object tcp-udp eq kerberos

service-object tcp-udp eq nfs

service-object tcp-udp eq pim-auto-rp

service-object tcp-udp eq sip

service-object tcp-udp eq sunrpc

service-object tcp-udp eq tacacs

service-object tcp-udp eq talk

service-object tcp eq aol

service-object tcp eq bgp

service-object tcp eq chargen

service-object tcp eq cifs

service-object tcp eq citrix-ica

service-object tcp eq ctiqbe

service-object tcp eq daytime

service-object tcp eq discard

service-object tcp eq domain

service-object tcp eq echo

service-object tcp eq exec

service-object tcp eq finger

service-object tcp eq ftp

service-object tcp eq ftp-data

service-object tcp eq gopher

service-object tcp eq h323

service-object tcp eq hostname

service-object tcp eq www

service-object tcp eq https

service-object tcp eq ident

service-object tcp eq imap4

service-object tcp eq irc

service-object tcp eq kerberos

service-object tcp eq klogin

service-object tcp eq kshell

service-object tcp eq ldap

service-object tcp eq ldaps

service-object tcp eq login

service-object tcp eq lotusnotes

service-object tcp eq lpd

service-object tcp eq netbios-ssn

service-object tcp eq nfs

service-object tcp eq nntp

service-object tcp eq pcanywhere-data

service-object tcp eq pim-auto-rp

service-object tcp eq pop2

service-object tcp eq pop3

service-object tcp eq pptp

service-object tcp eq rsh

service-object tcp eq rtsp

service-object tcp eq sip

service-object tcp eq smtp

service-object tcp eq sqlnet

service-object tcp eq ssh

service-object tcp eq sunrpc

service-object tcp eq tacacs

service-object tcp eq talk

service-object tcp eq telnet

service-object tcp eq uucp

service-object tcp eq whois

service-object udp eq biff

service-object udp eq bootpc

service-object udp eq bootps

service-object udp eq cifs

service-object udp eq discard

service-object udp eq dnsix

service-object udp eq domain

service-object udp eq echo

service-object udp eq www

service-object udp eq isakmp

service-object udp eq kerberos

service-object udp eq mobile-ip

service-object udp eq nameserver

service-object udp eq netbios-dgm

service-object udp eq netbios-ns

service-object udp eq nfs

service-object udp eq ntp

service-object udp eq pcanywhere-status

service-object udp eq pim-auto-rp

service-object udp eq radius

service-object udp eq radius-acct

service-object udp eq rip

service-object udp eq secureid-udp

service-object udp eq sip

service-object udp eq snmp

service-object udp eq snmptrap

service-object udp eq sunrpc

service-object udp eq syslog

service-object udp eq tacacs

service-object udp eq talk

service-object udp eq tftp

service-object udp eq time

service-object udp eq who

service-object udp eq xdmcp

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.1.0 255.255.255.0 any

access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu bsnl-backup 1494

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (bsnl-backup) 1 interface

nat (inside) 1 access-list inside_nat_outbound

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 115.x.x.1 1 track 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 1

type echo protocol ipIcmpEcho 115.x.x.1 interface outside

timeout 3000

frequency 10

sla monitor schedule 1 life forever start-time now

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

!

track 1 rtr 1 reachability

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group BSNL_Backup request dialout pppoe

vpdn group BSNL_Backup localname xxxxxxx (hostname/username given by ISP)

vpdn group BSNL_Backup ppp authentication chap

vpdn username xxxxxxx password *********  ((hostname/username given by ISP))

dhcpd dns 202.x.x.1 202.x.x.2

dhcpd auto_config outside

!

dhcpd address 192.168.1.10-192.168.1.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password xxxxxxxxx encrypted

!

class-map global-class

match default-inspection-traffic

!

!

policy-map global_policy

policy-map global-policy

class global-class

  inspect dns

  inspect ftp

  inspect http

  inspect icmp

  inspect icmp error

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect sip

  inspect snmp

  inspect tftp

!

service-policy global-policy global

prompt hostname context

Cryptochecksum:cf3669d79549fb6b79e3bdd155d4c018

: end

Labels:
0 Helpful
Comments
Janel Kratky
Cisco Employee
Cisco Employee
‎09-29-2010 09:06 AM

Hi Dilip,

Thanks for posting the circuit redundancy document in the Cisco Tech Doc Ideas discussion forum.

We have forwarded it to the Security doc team. In the Cisco Support Community, there are other communities where your document may be a greater benefit to the subscribers because they are focused on a specific technology and/or product.

In order to view all of the available communities, navigate to the Cisco Support Community Home page. Your document may best fit under SecurityFirewalling > Documents. You’ll see that within theFirewalling community the same tabs at the top of the page appear and you couldadd your article to the Documents tab.

Here’s the direct link to the Firewalling communitydocuments tab:

https://supportforums.cisco.com/community/netpro/security/firewall?view=documents

Thanks,

Janel Kratky

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents