topic Re: Cisco asa5510 in Network Security

Cisco asa5510

lawsuites — Mon, 11 Mar 2019 20:09:34 GMT

Hello,

We are going to backup internet for our firm. How would i configure that in asa5510.

For example Lets say interface Ethernet0/1 has the current internet connection that we are using right now.

Now would like to configure interface Ethernet0/3 for our new second internet so for any reason our current internet goes down then user will not feel downtime.

for example lets say new internet provider ip is 143.328.321.34(usable ip), 143.328.321.33 (deffault gatway), and 255.255.255.248 - Subnet Mask

We also have exchange and lets say local ip is 11.11.11.28 and will create reverse dns for this 143.328.321.34.

Following is the example current configs:

hostname ASA-MP

domain-name domain.com

name 11.11.11.28 Exchange2010

dns-guard

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 114.324.321.44 255.255.255.248

interface Ethernet0/1

nameif inside

security-level 100

ip address 11.11.11.240 255.255.255.0

interface Ethernet0/2

shutdown

no nameif

security-level 100

ip address 11.11.20.2 255.255.255.240

interface Ethernet0/3

nameif temp

security-level 0

no ip address

Pls help, thanks

Re: Cisco asa5510

Federico Coto Fajardo — Sat, 19 Mar 2011 04:15:02 GMT

Hi,

You can configure an internet connection on the ASA.

If using the outside interface, that interface will have the default gateway

route outside 0 0 x.x.x.x 10

Now, you can have another interface as backup

route backup 0 0 y.y.y.y 20

The above will work, but you also need SLA to track the state of the link in order for the ASA to be able to determine if one link is down to switch to the backup link and then switch back to the primary internet connection when it recovers.

Hope it helps.

Federico.

Re: Cisco asa5510

lawsuites — Sat, 19 Mar 2011 04:48:05 GMT

Thanks Federico,

Lets say i don't make SLA.

Can you give me the entries to configure the interface etherenet 3 for internet. I will plug the wire in interface 3 if our main internet goes down.

Also if i have to then how to do SLA?

thanks

Re: Cisco asa5510

Federico Coto Fajardo — Sat, 19 Mar 2011 16:19:10 GMT

Main interface E0
route outside 0 0 114.324.321.xxx 10 track 1

Backup interface E3
route backup 0 0 xxx.xxx.xxx.xxx 20 track 2

Configure SLA:

track 1 rtr 1 reachability

track 2 rtr 2 reachability

sla monitor 1
type echo protocol ipIcmpEcho x.x.x.x interface outside
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho y.y.y. interface backup
sla monitor schedule 2 life forever start-time now

Hope it helps.

Federico.

Re: Cisco asa5510

andamani — Mon, 21 Mar 2011 16:06:14 GMT

Hi Gurpreet,

To validate fredrico's configuration the following link gives the details of the SLA monitoring:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Re: Cisco asa5510

lawsuites — Tue, 22 Mar 2011 01:30:40 GMT

thanks:

Re: Cisco asa5510

lawsuites — Tue, 22 Mar 2011 01:30:51 GMT

thanks

Re: Cisco asa5510

lawsuites — Fri, 01 Apr 2011 04:28:23 GMT

Ok, finally got the back installed by 2nd ISP. Now i am ready to make these changes but would like to clear some question out before i do this.

Right now with current and primry we have only IP address that work for exchange reverse dns, remote desktop, has vpn connection to remote side and have postini spam filtering in asa5510.

If make changes that is recommend nothing else will break right? Also should pi also setup the backup as forward for remote deskto and postini filltering for exchange?

Thanks

Re: Cisco asa5510

sushil — Fri, 01 Apr 2011 09:54:54 GMT

Yes.Nothing will break.The ISP will run in active/passive.

If primary goes down only then backup will come into picture.

Re: Cisco asa5510

lawsuites — Sat, 02 Apr 2011 14:57:36 GMT

....

Re: Cisco asa5510

lawsuites — Sun, 03 Apr 2011 21:19:53 GMT

Re: Cisco asa5510

lawsuites — Sun, 03 Apr 2011 21:21:28 GMT

Hello Federico,

After carefully reading your response i think i got it and understood where i was making mistake . I am going to do the following, can you please advise if this is correct:

global (backup) 1 interface

route outside 0 0 114.324.321.33 10 track 1

route backup 0 0 115.283.212.23 20 track 2

Configure SLA:

track 1 rtr 1 reachability

track 2 rtr 2 reachability

sla monitor 1
type echo protocol ipIcmpEcho 114.324.321.33 interface outside
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 212.23 20 interface backup
sla monitor schedule 2 life forever start-time now

Thank you very much for your time.

Re: Cisco asa5510

lawsuites — Mon, 04 Apr 2011 14:05:40 GMT

bump, pls help.