09-26-2010 11:43 PM - edited 03-08-2019 06:36 PM
I am posting an article for circuit redundancy used in working scenario.
Cisco ASA 5505 - Version 8.2(1).
ASA's three Fast Ethernet interfaces have been connected, each one for ISP1, ISP2 and customer LAN.
ASA is connected with two Internet circuits.
Primary as internet lease line (ILL) with static IP connected to ISP1.
Backup as PPPOE broadband with dynamic IP address connected to ISP2.
You can configure both circuits to work in Primary/backup mode using Cisco SLA monitor services and static route.
: Saved
:
ASA Version 8.2(1)
!
hostname ASA5505
enable password XXXXXX encrypted
passwd XXXXXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 115.X.X.2 255.255.255.252
!
interface Vlan3
nameif bsnl-backup
security-level 1
pppoe client vpdn group BSNL_Backup
pppoe client route distance 200
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone IST 5 30
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
service-object tcp eq www
service-object tcp eq https
service-object tcp eq pop3
service-object tcp eq smtp
service-object tcp eq ssh
service-object udp eq www
service-object ip
service-object udp eq ntp
service-object icmp echo
service-object icmp echo-reply
service-object udp eq echo
service-object icmp traceroute
object-group service test
service-object ip
service-object icmp
service-object pim
service-object pcp
service-object snp
service-object udp
service-object igmp
service-object ipinip
service-object gre
service-object esp
service-object ah
service-object icmp6
service-object tcp
service-object eigrp
service-object ospf
service-object igrp
service-object nos
service-object icmp alternate-address
service-object icmp conversion-error
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp mask-reply
service-object icmp mask-request
service-object icmp mobile-redirect
service-object icmp parameter-problem
service-object icmp redirect
service-object icmp router-advertisement
service-object icmp router-solicitation
service-object icmp source-quench
service-object icmp time-exceeded
service-object icmp timestamp-reply
service-object icmp timestamp-request
service-object icmp traceroute
service-object icmp unreachable
service-object icmp6 echo
service-object icmp6 echo-reply
service-object icmp6 membership-query
service-object icmp6 membership-reduction
service-object icmp6 membership-report
service-object icmp6 neighbor-advertisement
service-object icmp6 neighbor-redirect
service-object icmp6 neighbor-solicitation
service-object icmp6 packet-too-big
service-object icmp6 parameter-problem
service-object icmp6 router-advertisement
service-object icmp6 router-renumbering
service-object icmp6 router-solicitation
service-object icmp6 time-exceeded
service-object icmp6 unreachable
service-object tcp-udp eq cifs
service-object tcp-udp eq discard
service-object tcp-udp eq domain
service-object tcp-udp eq echo
service-object tcp-udp eq www
service-object tcp-udp eq kerberos
service-object tcp-udp eq nfs
service-object tcp-udp eq pim-auto-rp
service-object tcp-udp eq sip
service-object tcp-udp eq sunrpc
service-object tcp-udp eq tacacs
service-object tcp-udp eq talk
service-object tcp eq aol
service-object tcp eq bgp
service-object tcp eq chargen
service-object tcp eq cifs
service-object tcp eq citrix-ica
service-object tcp eq ctiqbe
service-object tcp eq daytime
service-object tcp eq discard
service-object tcp eq domain
service-object tcp eq echo
service-object tcp eq exec
service-object tcp eq finger
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object tcp eq gopher
service-object tcp eq h323
service-object tcp eq hostname
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ident
service-object tcp eq imap4
service-object tcp eq irc
service-object tcp eq kerberos
service-object tcp eq klogin
service-object tcp eq kshell
service-object tcp eq ldap
service-object tcp eq ldaps
service-object tcp eq login
service-object tcp eq lotusnotes
service-object tcp eq lpd
service-object tcp eq netbios-ssn
service-object tcp eq nfs
service-object tcp eq nntp
service-object tcp eq pcanywhere-data
service-object tcp eq pim-auto-rp
service-object tcp eq pop2
service-object tcp eq pop3
service-object tcp eq pptp
service-object tcp eq rsh
service-object tcp eq rtsp
service-object tcp eq sip
service-object tcp eq smtp
service-object tcp eq sqlnet
service-object tcp eq ssh
service-object tcp eq sunrpc
service-object tcp eq tacacs
service-object tcp eq talk
service-object tcp eq telnet
service-object tcp eq uucp
service-object tcp eq whois
service-object udp eq biff
service-object udp eq bootpc
service-object udp eq bootps
service-object udp eq cifs
service-object udp eq discard
service-object udp eq dnsix
service-object udp eq domain
service-object udp eq echo
service-object udp eq www
service-object udp eq isakmp
service-object udp eq kerberos
service-object udp eq mobile-ip
service-object udp eq nameserver
service-object udp eq netbios-dgm
service-object udp eq netbios-ns
service-object udp eq nfs
service-object udp eq ntp
service-object udp eq pcanywhere-status
service-object udp eq pim-auto-rp
service-object udp eq radius
service-object udp eq radius-acct
service-object udp eq rip
service-object udp eq secureid-udp
service-object udp eq sip
service-object udp eq snmp
service-object udp eq snmptrap
service-object udp eq sunrpc
service-object udp eq syslog
service-object udp eq tacacs
service-object udp eq talk
service-object udp eq tftp
service-object udp eq time
service-object udp eq who
service-object udp eq xdmcp
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.1.0 255.255.255.0 any
access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu bsnl-backup 1494
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (bsnl-backup) 1 interface
nat (inside) 1 access-list inside_nat_outbound
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 115.x.x.1 1 track 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho 115.x.x.1 interface outside
timeout 3000
frequency 10
sla monitor schedule 1 life forever start-time now
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
track 1 rtr 1 reachability
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group BSNL_Backup request dialout pppoe
vpdn group BSNL_Backup localname xxxxxxx (hostname/username given by ISP)
vpdn group BSNL_Backup ppp authentication chap
vpdn username xxxxxxx password ********* ((hostname/username given by ISP))
dhcpd dns 202.x.x.1 202.x.x.2
dhcpd auto_config outside
!
dhcpd address 192.168.1.10-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password xxxxxxxxx encrypted
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
class global-class
inspect dns
inspect ftp
inspect http
inspect icmp
inspect icmp error
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect snmp
inspect tftp
!
service-policy global-policy global
prompt hostname context
Cryptochecksum:cf3669d79549fb6b79e3bdd155d4c018
: end
Hi Dilip,
Thanks for posting the circuit redundancy document in the Cisco Tech Doc Ideas discussion forum.
We have forwarded it to the Security doc team. In the Cisco Support Community, there are other communities where your document may be a greater benefit to the subscribers because they are focused on a specific technology and/or product.
In order to view all of the available communities, navigate to the Cisco Support Community Home page. Your document may best fit under Security > Firewalling > Documents. You’ll see that within theFirewalling community the same tabs at the top of the page appear and you couldadd your article to the Documents tab.
Here’s the direct link to the Firewalling communitydocuments tab:
https://supportforums.cisco.com/community/netpro/security/firewall?view=documents
Thanks,
Janel Kratky
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: