cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


141
Views
0
Helpful
5
Replies
Beginner

ASA in HA, with different ISPs

I'm configuring a pair of ASA into HA mode for failover. Active/Standby. But in this case, each ASA has a separate internet connection. ASA 1, with ISP A | ASA 2 with ISP 2. I know how to configure the ASAs into HA mode, but a bit uncertain about on how to configure the secondary ISP on the standby ASA.

 

Can somebody help me with this?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: ASA in HA, with different ISPs

If I understand you correctly, ASA1 is only connected to ISP1 and ASA2 is only connected to ISP2?
When you say ASA in HA do you mean Active/Standby failover?

If yes, obviously the configuration is replicated between the 2 devices and there will be 1 interface down on each ASA. So you could connect a switch on the outside interfaces and then connect to the ISP, so at least both ISPs will be reachable on both interfaces on both ASA. Or potentially not monitor the interface on the respective ASA.

So when ISP1 fails and the ICMP probe fails, yes it will failover to ISP2.

HTH
5 REPLIES 5
Highlighted
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: ASA in HA, with different ISPs

Hi,
You can configure IP SLA to monitor the first ISP, in the event of failure failover to the 2nd ISP.

 

In the example below traffic uses ISP1 via OUTSIDE_1 interface until the icmp probe to 1.1.1.254 fails, it which point the default route is removed and the route via ISP2 is used for all traffic.

 

sla monitor 1
type echo protocol ipIcmpEcho 1.1.1.254 interface OUTSIDE_1
threshold 1
frequency 5
sla monitor schedule 1 life forever start-time now

track 1 rtr 1 reachability

route OUTSIDE_1 0.0.0.0 0.0.0.0 1.1.1.254 1 track 1
route OUTSIDE_2 0.0.0.0 0.0.0.0 2.2.2.254 100

You would need a dynamic NAT for each interface

 

nat (INSIDE,OUTSIDE_1) after-auto source dynamic any interface
nat (INSIDE,OUTSIDE_2) after-auto source dynamic any interface

You would obviously need the relevant ACL configured on the outside interfaces.

 

HTH

Beginner

Re: ASA in HA, with different ISPs

What about the outside IP for the secondary ISP - how is that applied?

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: ASA in HA, with different ISPs

You would define the IP address and nameif on another interface, which is connected to the 2nd ISP.
Beginner

Re: ASA in HA, with different ISPs

Okay, just to make sure I'm understanding this correctly. ASA 1, int 1, isp 1 + ASA 2 int 2, isp 2, everything configured on the active ASA.

 

Then when ASA 1 fails, it connects to the outside via int 2 on ASA 2. 

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: ASA in HA, with different ISPs

If I understand you correctly, ASA1 is only connected to ISP1 and ASA2 is only connected to ISP2?
When you say ASA in HA do you mean Active/Standby failover?

If yes, obviously the configuration is replicated between the 2 devices and there will be 1 interface down on each ASA. So you could connect a switch on the outside interfaces and then connect to the ISP, so at least both ISPs will be reachable on both interfaces on both ASA. Or potentially not monitor the interface on the respective ASA.

So when ISP1 fails and the ICMP probe fails, yes it will failover to ISP2.

HTH