cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
684
Views
0
Helpful
4
Replies

IP SLA

Gerard Gacusan
Level 1
Level 1

here's the scenario:

STATIC NAT ON ASA:

Host A - 172.16.205.68 -> 10.10.1.50

Host B - 172.16.202.98 -> 10.10.1.51

All traffics except these 2 hosts above (example) are using via RTR-2. Now, if RTR-2 goes down, failover to RTR-1.

Host A and B will use RTR-1 as primary routes. Now, if RTR-1 goes down, failover to RTR-2.

My IP SLA monitor is on the ASA-Firewall.

route outside 0.0.0.0 0.0.0.0 10.10.1.1 1 track 1

route outside 0.0.0.0 0.0.0.0 10.10.1.3 254

sla monitor 1

type echo protocol ipIcmpEcho 63.75.29.125 interface outside

num-packets 3

timeout 300

frequency 3

sla monitor schedule 1 life forever start-time now

service resetoutside

!

track 1 rtr 1 reachability

IP PBR is on the RTR-2:

interface FastEthernet0/0

ip address 10.10.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map serverapps

duplex auto

speed auto

access-list 1 permit 10.10.1.0 0.0.0.255

access-list 2 permit 10.10.1.50

access-list 3 permit 10.10.1.51

!

route-map serverapps permit 100

match ip address 2 3

set ip next-hop 10.10.1.3

RTR-2 ROUTING:

router ospf 1

router-id 10.10.1.1

log-adjacency-changes

network 10.10.1.0 0.0.0.255 area 10

!

ip route 0.0.0.0 0.0.0.0 63.75.29.125

RTR-1 ROUTING:

router ospf 1

router-id 10.10.1.3

log-adjacency-changes

network 10.10.1.0 0.0.0.255 area 10

ip route 0.0.0.0 0.0.0.0 151.131.141.205

I got RTR-2 to RTR-1 SLA working but not RTR-1 to RTR-2. If RTR-1 goes down, should failover to RTR-2 ...

4 Replies 4

tdrais
Level 7
Level 7

If I read this correctly the firewall will send all the traffic to router2 as long router 2 connection is functional and router 2 will send all the traffic it does not want to process to router 1.

Kinda a different solution to the problem but work mostly.

The only traffic that ever gets to router 1 in the normal case is coming from router 2. What you need to do is have router 2 track router 1 internet connection and not policy router if its down. This is done with the reachabilty option and the track option on the policy router statemnet

That is correct, firewall sends all traffic to router-2. I need this scenario below.

router-1 - critical applications

backup route: router-2

router-2 - non-critical applications

backup route: router-1

The more common solution would be to do the policy routing for the critical apps on the firewall but I don't know if the ASA can use the track options on policy routing.

Since you have this much working just add the track to your policy route on router 2 and it will all work. You already know how to do the hard part which is creation of the track object.

The only issue would be to make sure rtr 2 know how to get to rtr 1 internet provider via you internal network rather than the internet but you could monitor via the internet if you really wanted to.

not work

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: