Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
983
Views
0
Helpful
5
Replies

ASA 5505 ISP Failover

bwillford
Level 1
Level 1

‎02-18-2013 06:50 AM - edited ‎03-11-2019 06:02 PM

So we currently have a T1 connection at our location. We were looking to add a high speed cable internet and add an ASA 5505 with Security plus license to do failover between the two. I have found a few examples on how this would work but curious about a couple things.

We would want the Cable to be the primary, T1 as a backup.

Currently the IAD that handles our T1 does dhcp, dns, and NAT.. Who/what would handle these items with the setup above?

1 person had this problem
Labels:
0 Helpful
5 Replies 5

jawad-mukhtar
Level 4
Level 4

‎02-18-2013 12:43 PM

I this case Nat will be done by your ASA

U will DO PBR for Primary / Backup.

Ur GW will be UR ASA Inside Interface u will need to change GW in DHCP for all clients.

Jawad
0 Helpful

jocamare
Level 4
Level 4

‎02-18-2013 02:49 PM

Since the ASA will be replacing the IAD it will have to do all what the IAD was previously doing, that includes DHCP, DNS and NAT.

As you might now, after configuring SLA monitoring on the ASA to manage the two lines, you have to make sure that the backup line is ready to take over when the time comes, that means nat translations, routes and access rules have to be in place; at least for a basic setup.

0 Helpful

bwillford
Level 1
Level 1
In response to jocamare

‎02-19-2013 05:34 AM

So the ASA has to replace the IAD? the IAD is managed by the ISP I was wanting to put the ASA behind the IAD.

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to bwillford

‎02-19-2013 08:44 AM

ASA doesn't have to replace IAD. ASA can just have one of the default routes pointint to the IAD.

dhcp: ASA can take this role, and if you have some kind of small environment it'll be ok. But, ip-to-mac binding, if you require this function, can't be done on ASA internal dhcp server.

dhs: U can use some public well-known dns-server (say 4.2.2.2) to resolve external names. If it's not sufficient for you, you can install your own dns-server somewhere inside your lan.

nat: for yor t1 line you can leave nat-function on IAD, while for new high-speed link asa will do nat.

0 Helpful

jocamare
Level 4
Level 4
In response to Andrew Phirsov

‎02-19-2013 09:15 AM

So the IAD stays, and the ASA behind it.

If i were you i would ask my ISP to let me configure the ASA with the configuration the IAD had, that way i would save 1 hop, 1 failure point and will have 1 device doing what 2 were previously doing.

If getting rid of the IAD is not an option, i would consider running it on bridge/transparent mode. It will become a L2 hub and let the ASA handle the rest.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card