I'm configuring a pair of ASA into HA mode for failover. Active/Standby. But in this case, each ASA has a separate internet connection. ASA 1, with ISP A | ASA 2 with ISP 2. I know how to configure the ASAs into HA mode, but a bit uncertain about on how to configure the secondary ISP on the standby ASA.
Can somebody help me with this?
Solved! Go to Solution.
You can configure IP SLA to monitor the first ISP, in the event of failure failover to the 2nd ISP.
In the example below traffic uses ISP1 via OUTSIDE_1 interface until the icmp probe to 18.104.22.168 fails, it which point the default route is removed and the route via ISP2 is used for all traffic.
sla monitor 1
type echo protocol ipIcmpEcho 22.214.171.124 interface OUTSIDE_1
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
route OUTSIDE_1 0.0.0.0 0.0.0.0 126.96.36.199 1 track 1
route OUTSIDE_2 0.0.0.0 0.0.0.0 188.8.131.52 100
You would need a dynamic NAT for each interface
nat (INSIDE,OUTSIDE_1) after-auto source dynamic any interface
nat (INSIDE,OUTSIDE_2) after-auto source dynamic any interface
You would obviously need the relevant ACL configured on the outside interfaces.
Okay, just to make sure I'm understanding this correctly. ASA 1, int 1, isp 1 + ASA 2 int 2, isp 2, everything configured on the active ASA.
Then when ASA 1 fails, it connects to the outside via int 2 on ASA 2.