07-14-2008 07:37 AM - edited 03-03-2019 10:42 PM
here's the scenario:
STATIC NAT ON ASA:
Host A - 172.16.205.68 -> 10.10.1.50
Host B - 172.16.202.98 -> 10.10.1.51
All traffics except these 2 hosts above (example) are using via RTR-2. Now, if RTR-2 goes down, failover to RTR-1.
Host A and B will use RTR-1 as primary routes. Now, if RTR-1 goes down, failover to RTR-2.
My IP SLA monitor is on the ASA-Firewall.
route outside 0.0.0.0 0.0.0.0 10.10.1.1 1 track 1
route outside 0.0.0.0 0.0.0.0 10.10.1.3 254
sla monitor 1
type echo protocol ipIcmpEcho 63.75.29.125 interface outside
num-packets 3
timeout 300
frequency 3
sla monitor schedule 1 life forever start-time now
service resetoutside
!
track 1 rtr 1 reachability
IP PBR is on the RTR-2:
interface FastEthernet0/0
ip address 10.10.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map serverapps
duplex auto
speed auto
access-list 1 permit 10.10.1.0 0.0.0.255
access-list 2 permit 10.10.1.50
access-list 3 permit 10.10.1.51
!
route-map serverapps permit 100
match ip address 2 3
set ip next-hop 10.10.1.3
RTR-2 ROUTING:
router ospf 1
router-id 10.10.1.1
log-adjacency-changes
network 10.10.1.0 0.0.0.255 area 10
!
ip route 0.0.0.0 0.0.0.0 63.75.29.125
RTR-1 ROUTING:
router ospf 1
router-id 10.10.1.3
log-adjacency-changes
network 10.10.1.0 0.0.0.255 area 10
ip route 0.0.0.0 0.0.0.0 151.131.141.205
I got RTR-2 to RTR-1 SLA working but not RTR-1 to RTR-2. If RTR-1 goes down, should failover to RTR-2 ...
07-14-2008 08:48 AM
If I read this correctly the firewall will send all the traffic to router2 as long router 2 connection is functional and router 2 will send all the traffic it does not want to process to router 1.
Kinda a different solution to the problem but work mostly.
The only traffic that ever gets to router 1 in the normal case is coming from router 2. What you need to do is have router 2 track router 1 internet connection and not policy router if its down. This is done with the reachabilty option and the track option on the policy router statemnet
07-14-2008 09:06 AM
That is correct, firewall sends all traffic to router-2. I need this scenario below.
router-1 - critical applications
backup route: router-2
router-2 - non-critical applications
backup route: router-1
07-14-2008 09:16 AM
The more common solution would be to do the policy routing for the critical apps on the firewall but I don't know if the ASA can use the track options on policy routing.
Since you have this much working just add the track to your policy route on router 2 and it will all work. You already know how to do the hard part which is creation of the track object.
The only issue would be to make sure rtr 2 know how to get to rtr 1 internet provider via you internal network rather than the internet but you could monitor via the internet if you really wanted to.
07-14-2008 01:36 PM
not work
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: