Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
640
Views
5
Helpful
4
Replies

ASA 5505 Redundancy

Go to solution
John Apricena
Level 1
Level 1

‎02-25-2014 07:44 AM - edited ‎03-11-2019 08:50 PM

Hello Guys,

One of our clients has redundant ASA 5505's with a few switches. The ASA 5505s have a basic setup, outside ports, inside ports, dmz each on a different vlan, and failover is configured and working properly for both. The customer wants to bring a secondary ISP in for added redundancy. Based on the fact that failover uses the redundancy of the same network for the ASAs to talk on, what would be the best approach here.

Can I create 2 outside interfaces each with the different ISPs and if one ISP fails, the other one can pick up using like a type of SLA. Also, can I load balance traffic out the two or even choose which traffic may go out each line. For instance all internet traffic out one ISP and all VPN traffic out the other ISP.

Any thoughts would be greatly appreciated, and thanks so much in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
lcambron
Level 3
Level 3
In response to John Apricena

‎02-25-2014 11:02 AM

John,

You can have the SLA Monitor and Failover at the same time, no special considerations.

Once this is configured, just stop monitoring on the outside interface for Failover:

- no monitor-interface outside

So if the outside link fails on primary ASA, no failover will happen but the ASA will switch to the secondary ISP.

Regards,

Felipe.

Remember to rate useful posts.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
lcambron
Level 3
Level 3

‎02-25-2014 10:08 AM

Hello John,

You can have dual ISP but must have the same configuration on both ASAs, meaning you cannot have one ISP on primary and the other on the secondary.

Because SLA Monitor and Failover are both for redundancy, the best practice is NOT to monitor the outside interface, since it will be tracked by the SLA(if outside fails then the backup takes over, if another interface fails then the entire ASA fails over).

The ASA does not support PBR (routing based on source), therefore you can only have one default route active at the time.

However for L2L VPN, you can configure static routes using the back link (for the peer IP and remote network).

Regards,

Felipe.

Remember to rate useful posts.

Go to solution
John Apricena
Level 1
Level 1
In response to lcambron

‎02-25-2014 10:50 AM

Hi lcambron,

Thanks for the prompt response, and great details. What would be the best route to go about this. Primarily redundancy is the big factor. If one ISP fails we want the other one to take over. With the Two ASA 5505's which is the best way to handle this in your opinion?

0 Helpful

Go to solution
lcambron
Level 3
Level 3
In response to John Apricena

‎02-25-2014 11:02 AM

John,

You can have the SLA Monitor and Failover at the same time, no special considerations.

Once this is configured, just stop monitoring on the outside interface for Failover:

- no monitor-interface outside

So if the outside link fails on primary ASA, no failover will happen but the ASA will switch to the secondary ISP.

Regards,

Felipe.

Remember to rate useful posts.

0 Helpful

Go to solution
John Apricena
Level 1
Level 1
In response to lcambron

‎02-25-2014 12:59 PM

thanks lcambron! I will let you know if I have any issues with this.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card