topic Re: Cisco 5510 ISP backup in Network Security

Cisco 5510 ISP backup

lawsuites — Mon, 11 Mar 2019 20:17:52 GMT

Hello everyone,

I would like to setup backup ISP in our ASA5510. Right now the the firewall has for defualt gateway following command:

"route outside 0.0.0.0 0.0.0.0 114.324.321.33 1" i am changing this to

route outside 0.0.0.0 0.0.0.0 114.324.321.33 10 track 1 ...so i can setup sla monitoring

As soon as i do the above command and remove the orignal "route outside 0.0.0.0 0.0.0.0 114.324.321.33 1" from asa then internet connection drops.

Right now asa interface Ethernet0/0 has main isp configured and configuring interface Ethernet0/3 as backup.

interface Ethernet0/3
nameif backup
security-level 0
ip address 114.324.321.34 255.255.255.252
no shut
global (backup) 1 interface

route outside 0.0.0.0 0.0.0.0 114.324.321.33 10 track 1 ( Right now in firewall i have" route outside 0.0.0.0 0.0.0.0 114.324.321.33 1 " )

route backup 0.0.0.0 0.0.0.0 115.283.212.23 20 track 2

track 1 rtr 1 reachability

track 2 rtr 2 reachability

sla monitor 1
type echo protocol ipIcmpEcho 114.324.321.33 interface outside
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 115.283.212.23 interface backup
sla monitor schedule 2 life forever start-time now

----------------------------------------

Also our firewall has site to site vpn and 1 main ip configured for exchange and remote access.

Re: Cisco 5510 ISP backup

KARUPPUCHAMY MALAIYANDI — Thu, 07 Apr 2011 02:22:43 GMT

Hi,

ASA/PIX wont allow us to configure default route with same AD.

You can increase the AD value for the backup default route and apply the TRACK in the primary default route.

Also no need to apply the track to backup default route.

Updated configuration:-

interface Ethernet0/3
nameif backup
security-level 0
ip address 114.324.321.34 255.255.255.252
no shut

global (backup) 1 interface
route outside 0.0.0.0 0.0.0.0 114.324.321.33 1 track 1
route backup 0.0.0.0 0.0.0.0 115.283.212.23 254

track 1 rtr 1 reachability

sla monitor 1
type echo protocol ipIcmpEcho 114.324.321.33 interface outside
sla monitor schedule 1 life forever start-time now

Thanks

Karuppu

Re: Cisco 5510 ISP backup

lawsuites — Thu, 07 Apr 2011 02:44:40 GMT

Karuppu, thanks for the quick response, will try that and let you know.

Re: Cisco 5510 ISP backup

lawsuites — Thu, 07 Apr 2011 13:30:15 GMT

As soon as i took out "route outside 0.0.0.0 0.0.0.0 173.251.14.33 1" this and added " route outside 0.0.0.0 0.0.0.0 173.251.14.33 1 track 1" internet went down.

Let me give you more information how our isp gateway is setup:

global (outside) 1 interface
nat (inside) 0 access-list HOME-REMOTENONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Exchange2010 smtp netmask 255.255.255
.255
static (inside,outside) tcp interface https Exchange2010 https netmask 255.255.2
55.255
static (inside,outside) tcp interface 3389 10.10.10.203389 netmask 255.255.255.2
55
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 114.324.321.33 1
route inside 10.10.4.0 255.255.255.0 10.10.4.1 1
route inside 10.10.5.0 255.255.255.0 10.10.5.1 1
route inside 10.10.6.0 255.255.255.0 10.10.6.1 1
route inside 10.10.7.0 255.255.255.0 10.10.7.1 1
route inside 10.10.8.0 255.255.255.0 10.10.8.1 1
route inside 10.10.9.0 255.255.255.0 10.10.9.1 1

Pls help, thanks.

Re: Cisco 5510 ISP backup

lawsuites — Thu, 14 Apr 2011 03:32:25 GMT

any advise on this, pls.