Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1106
Views
0
Helpful
4
Replies

ASA 5505 backup interface

Go to solution
amrinw1133
Level 1
Level 1

‎11-22-2011 03:36 AM - edited ‎03-11-2019 02:54 PM

Hello,

I have setup ASA 5505 with 2 ISP, named outside (primary)  and backup, the scenario is if outside down, then backup will take over, it works now.

But it is not working when the primary connection cannot reach the gateway with the interface still up.

Is it possible when the primary connection cannot reach the gateway then backup automatically take over?

Thanks before..

My configuration is:

ASA Version 8.2(1)

!

hostname cisco

domain-name default_domain

enable password ********* encrypted

passwd ********* encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 172.10.10.10 255.255.255.0

!

interface Vlan3

no forward interface Vlan2

nameif backup

security-level 0

ip address 172.20.10.10 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 1

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default domain

same-security-traffic permit intra-interface

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu backup 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 1 interface

global (outside) 1 interface

global (backup) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

access-group inside_out in interface inside

access-group outside_in in interface outside

access-group backup_in in interface backup

route outside 0.0.0.0 0.0.0.0 172.10.10.1 1

route backup 0.0.0.0 0.0.0.0 172.20.10.1 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 1048575

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.200 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:24af050f332deab3e38eb578f8081d05

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
varrao
Level 10
Level 10

‎11-22-2011 03:50 AM

Hi Amrin,

you can configure SLA monitoring on ASA and that woudl work fine for you:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

0 Helpful
4 Replies 4

Go to solution
varrao
Level 10
Level 10

‎11-22-2011 03:50 AM

Hi Amrin,

you can configure SLA monitoring on ASA and that woudl work fine for you:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
prashantrecon
Level 1
Level 1
In response to varrao

‎11-26-2011 11:37 PM

Hi Varun,

Is it possible to configure SLA monotoring if one link is having point to point connectivity and other link just a normal internet link.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to prashantrecon

‎11-27-2011 11:50 AM

Hello Prashant,

All you need for SLA monitoring its a route for the target ( so that route entry can be monitored using ICMP traffic) so you do not have to worry about the type of link.

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
amrinw1133
Level 1
Level 1
In response to varrao

‎11-27-2011 08:40 PM

Hi Varun,

Thank you for your helpful information, the SLA monitoring works well.

Thanks a lot

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card