Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1212
Views
0
Helpful
5
Replies

ASA Failover

Go to solution
paulohenirque
Level 1
Level 1

‎07-13-2012 12:24 PM - edited ‎03-04-2019 04:57 PM

Dear Friends ,

Im trying to configure a cisco asa failover , here is my scenario .

OUTSIDE - 10.10.10.2 + DEFAULT ROUTE TO 10.10.10.1

BACKUP -  192.168.0.2 + DEFAULT ROUTE TO 192.168.0.1

INSIDE 172.16/12

In my OUTSIDE interface are all my firewall rules , the backup interface is rule empty , so when outside interface goes down i delete my backup interface and configure 192.168.0.2 in my outside interface and change default route to 192.168.0.1 , so i wont need to copy and paste the fw rules from my outside interface to my backup interface .

So is it possible to configure a failover with only 1 asa device ? And if so , how to i replicate my outside rules to the backup interface rules ?

Thanks in advance .

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
manish arora
Level 6
Level 6

‎07-13-2012 01:47 PM

You will create two interface 1> outside & 2> Outside2 , apply the same access list on both the interface using access-group command, Now follow the instruction in the link below to set IP SLA on the asa so that the default routes switches automagically as well :-

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1057935

Note : The static Nat using ISP ip's from outside will not work when Outside2 becames active during a connection Failure.

Thank you

Manish

View solution in original post

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to paulohenirque

‎07-17-2012 06:17 PM

Hi Paulo,

The dynamic NAT rules can be adjusted in the following way to accomodate IPSLA failover, :-

global (inside) 1 interface

global (outside2) 1 interface

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

The above configuration will automatically change the external PAT ip address based on the active interface ip address.

The Static Nat will have issues, either you can create Two different static Nat using IPs from both providers or risk lossing traffic to the Static Nat devices. If you need that high level uptime than you should get your own IPs from ARIN , start doing BGP with two providers.

Manish

View solution in original post

0 Helpful
5 Replies 5

Go to solution
manish arora
Level 6
Level 6

‎07-13-2012 01:47 PM

You will create two interface 1> outside & 2> Outside2 , apply the same access list on both the interface using access-group command, Now follow the instruction in the link below to set IP SLA on the asa so that the default routes switches automagically as well :-

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1057935

Note : The static Nat using ISP ip's from outside will not work when Outside2 becames active during a connection Failure.

Thank you

Manish

0 Helpful

Go to solution
paulohenirque
Level 1
Level 1
In response to manish arora

‎07-16-2012 05:31 AM

Thank you for your quick answer i'll try that .

0 Helpful

Go to solution
paulohenirque
Level 1
Level 1
In response to paulohenirque

‎07-17-2012 12:44 PM

Hey ,

I managed to get it to work , but what about my dynamic nat rule wich translate my inside address trough the outside interface , and my static nat rules also in my outside interface .

Thanks ,

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to paulohenirque

‎07-17-2012 06:17 PM

Hi Paulo,

The dynamic NAT rules can be adjusted in the following way to accomodate IPSLA failover, :-

global (inside) 1 interface

global (outside2) 1 interface

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

The above configuration will automatically change the external PAT ip address based on the active interface ip address.

The Static Nat will have issues, either you can create Two different static Nat using IPs from both providers or risk lossing traffic to the Static Nat devices. If you need that high level uptime than you should get your own IPs from ARIN , start doing BGP with two providers.

Manish

0 Helpful

Go to solution
paulohenirque
Level 1
Level 1
In response to manish arora

‎07-23-2012 06:28 AM

Hey Manish ,

Thanks for your reply , i do have 3 netblocks /24 but they all came trough the same ISP but with different routes and i also need uptime , thanks for your configure example and the explanation .

Cheers ,

Paulo

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card