Configuring Traffic Zone on ASA

SIMMN — Tue, 12 Mar 2019 08:59:47 GMT

I have dual-ISP connection (failover) at the edge of campus network. We are setting up the new ASA with multiple contexts. Since IP SLA is not supported under multiple context mode, we are trying to go with Traffic Zone feature to maintain the Dual-ISP failover functionality. However the confusion is: there is no configurable option to tweak for a better predictability of how the failover would work with zones...

Here is a picture stolen from configure guide that represents the setup (we only have two ISPs instead of four in the diagram).

http://www.cisco.com/c/dam/en/us/td/i/300001-400000/370001-380000/373001-374000/373595.eps/_jcr_content/renditions/373595.jpg

So questions:

1. If one ISP failed, say the medium between ASA and ISP CE failed, how does ASA detect the failover for switchover?

2. For outbound NAT, how to NAT to individual IP addresses from each ISP dynamically? Say I have one /24 subnet on LAN and one /24 subnet on DMZ need to be NATed when sending traffic through ASA to Internet.

object network LAN1-NAT-ISP1
subnet 10.18.0.0 255.255.255.0

object network DMZ-NAT-ISP1
subnet 172.16.0.0 255.255.255.0

object network LAN1-NAT-ISP2
subnet 10.18.0.0 255.255.255.0

object network DMZ-NAT-ISP2
subnet 172.16.0.0 255.255.255.0

Option#1, do dynamic PAT Pool:

object network ISP1-NAT-1
host 205.101.27.126

object network ISP1-NAT-2
host 205.101.27.127

object-group network ISP1-NAT-Pool
network-object object ISP1-NAT-1
network-object object ISP1-NAT-2

object network LAN1-NAT-ISP1
nat (Inside,any) dynamic pat-pool ISP1-NAT-Pool
object network LAN1-NAT-ISP2
nat (Inside,any) dynamic 18.195.59.126
object network DMZ-NAT-ISP1
nat (DMZ,any) dynamic pat-pool ISP1-NAT-Pool
object network DMZ-NAT-ISP2
nat (DMZ,any) dynamic 18.195.59.126

Option#2, do a simple dynamic PAT to non-interface address

object network LAN1-NAT-ISP1
nat (Inside,any) dynamic 205.101.27.126
object network LAN1-NAT-ISP2
nat (Inside,any) dynamic 18.195.59.126
object network DMZ-NAT-ISP1
nat (DMZ,any) dynamic 205.101.27.126
object network DMZ-NAT-ISP2
nat (DMZ,any) dynamic 18.195.59.126

3. If above commands are correct for the setup, then why ASA complains "WARNING: Pool (205.101.27.126) overlap with existing pool."? Does this mean ASA wont be able to smartly forward traffic outbound for NAT?

4. If the above commands are correct for the setup, then again as question#1, how does the firewall decide which ISP to use?

Wish there is some kinda whitepaper OR tac document to better explain this...

Thanks,

If you are going to go with

Philip D'Ath — Thu, 02 Mar 2017 02:55:05 GMT

If you are going to go with multi-context mode (can you get rid of this) then I think you will need a dynamic routing protocol with each ISP link.

No, cannot get rid of context

SIMMN — Thu, 02 Mar 2017 04:09:18 GMT

No, cannot get rid of context. Even I did, dynamic routing does not solve NAT and fail over. Plus barely any isp would peer with customer for NON-bgp.

topic Configuring Traffic Zone on ASA in Network Security

Configuring Traffic Zone on ASA

If you are going to go with

No, cannot get rid of context