topic Re: Dual ISP failover on ASA in Network Security

Dual ISP failover on ASA

lukecr-01 — Fri, 21 Feb 2020 16:11:50 GMT

Hi,

I have a client that has 2 ISPs and would like to use ISP1 for employees and ISP2 for guests. At the same time, he would like to have internet failover for both employees and guests.

So, under normal conditions, employee's subnet should use ISP1 and guest's subnet should use ISP2. In the case of a services interruption by ISP1, the employee's subnet will need to use ISP2. In the case of a service interruption ISP2, the guest's subnet will need to use ISP1.

Below is the current design:

Employees ISP1

\ /

/ \

Guests ISP2

I'm wondering if there is a way to use tacking to tell the ASA to which public IP address it should translate, ISP1 or ISP2? How could I be able to achieve these requirements?

Any help will be greatly appreciated!

Re: Dual ISP failover on ASA

Ajay Saini — Wed, 05 Sep 2018 03:47:46 GMT

Hello,

If you are running one of the supported versions i.e. 9.4.x and above, you can use PBR feature to route the traffic based on source subnet/ip.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.pdf

For your second condition for ISP interruption, you can use the sla tracking option which is again discussed in the document. Basically, it means ASA is going to track the particular ISP before sending the packets over. Multiple "set ip next-hop verify-availability" commands can be added. Please test it out before rolling in production, if its not currently.

Regards,

Re: Dual ISP failover on ASA

lukecr-01 — Wed, 05 Sep 2018 16:01:58 GMT

Hi AJ,

Thanks for your quick response.

The part that I'm having a hard time wrapping my head around is NAT. Under normal conditions the employee's subnet would need to be translated to ISP1 (AT&T) public IP address, and the guest's subnet to ISP2 (Cox) public IP. If either ISP fails, let's say ISP1, the employee's subnet then needs to get translated to ISP2 public address. How is the NATing handled when either ISP fails? If inside traffic is not translated to the public IP address of the ISP that is still operational, packets will be dropped by the ISP.

The current design the client has in place does not provide failover. It simply routes guest traffic though ISP2.

Attached is a network diagram for lab testing purposes. So the IP addresses are different than the real ones.

Again, I really appreciate the help!

Re: Dual ISP failover on ASA

Joel — Thu, 06 Sep 2018 11:11:59 GMT

Hi,

Routing is done before NAT. What I have done is created the below object NAT statement, change names to suit yours. Note both guest and corporate would NAT to the outside interface IP address.

object network NAT-BACKUP-ISP
subnet x.x.x.x x.x.x.x
nat (inside,backup-isp) dynamic interface
object network NAT-PRIMARY-ISP
subnet x.x.x.x x.x.x.x
nat (inside,primary-isp) dynamic interface

If the subnets are vastly different between corporate and guest i.e. can't summarize. Duplicate the above i.e.

For Guest

object network NAT-GUEST-BACKUP-ISP
subnet x.x.x.x x.x.x.x
nat (guest,backup-isp) dynamic interface
object network NAT-GUEST-PRIMARY-ISP
subnet x.x.x.x x.x.x.x
nat (guest,primary-isp) dynamic interface

For Corporate

object network NAT-CORPORATE-BACKUP-ISP
subnet x.x.x.x x.x.x.x
nat (inside,backup-isp) dynamic interface
object network NAT-CORPORATE-PRIMARY-ISP
subnet x.x.x.x x.x.x.x

nat (inside,backup-isp) dynamic interface

You cold probably get away with some manual NAT if the above doesn't suit, as its less configuration.

nat (any,primary-isp) after-auto source dynamic any interface

nat (any,backup-isp) after-auto source dynamic any interface

Routing will determine which interface do send the traffic, then NAT will occur. You would need a mix of SLA and PBR to achieve what you want too.

Joel