05-31-2013 10:25 AM - edited 03-11-2019 06:51 PM
Hello Experts,
I have an interesting situation that I can't find a Cisco supported configuration for. My customer has a pair of 5520's setup in a failover pair and has two internet connections. The primary ISP has an Adtran router onsite, but the backup ISP did not provide a CPE router. I only found this out when I was onsite and needed to get it working otherwise I would have suggested purchasing another router.
I am trying to find out if this would be a supported configuration.
Here are the important parts for the way I got it working to fail over to the backup ISP and still provide outside access to critical applications. I substituted private IP addesses to protect the customer's identity.
interface GigabitEthernet0/0
nameif outside-primary
security-level 0
ip address 10.10.10.162 255.255.255.224
!
interface GigabitEthernet0/1
nameif outside-backup
security-level 0
ip address 10.10.100.70 255.255.255.252
!
object network SVREX2010-PRIMARY
nat (inside,outside-primary) static 10.10.10.163
object network SVREX2010-BACKUP
nat (inside,outside-backup) static 10.10.200.187
route outside-primary 0.0.0.0 0.0.0.0 10.10.10.161 1 track 1
route outside-backup 0.0.0.0 0.0.0.0 10.10.100.69 10 track 2
sla monitor 10
type echo protocol ipIcmpEcho interface outside-primary
num-packets 4
frequency 10
sla monitor schedule 10 life forever start-time now
sla monitor 11
type echo protocol ipIcmpEcho interface outside-backup
num-packets 4
frequency 10
sla monitor schedule 11 life forever start-time now
!
track 1 rtr 10 reachability
!
track 2 rtr 11 reachability
So as you can see the primary internet is all on the same IP subnet, but the backup NAT object is an IP address on a completely different subnet than the "outside-backup" interface. As a note, this is working perfectly and it is only a temporary situation, but if it would be supported I may end up using this configuration again as a perminent solution.
Thanks much for any advice!
05-31-2013 02:05 PM
Hello,
I could not really understand the topology but the configuration will work fine as long as the ISP has a route for 10.10.200.187 poiting to the ASA.
This is possible because the ASA proxy arps for an IP on the NAT even though in not on the same range as the interface.
FYI: this stopped working on 8.4.3 and an enhacement was added to enable it again.
After 8.4.4.2 a command was added to allow this funtion again: 'arp permit-nonconnected'
Enha ID :
I dont see why you created sla monitor 11, you only need to monitor the primary route.
Regards,
Felipe.
05-31-2013 02:40 PM
Hello,
Just to add something to the great answer of Felipe,
If you are going to build UDP connections across the ASA be careful with the fact that when the ASA triggers SLA and you start using the backup interface everything will flow as expected but when the Primary interface comes back and preemption happens the ASA will not torn-down and re-built the connections via the Primary interface and will still use the backup (even when the primary is up).
The UDP session will be rebuilt-using the Primary interface until the connection gets deleted (with UDP that could take a lot)
This will generate issues with UDP traffic so be careful and add the following command
timeout floating-conn xx:xx:xx
This time set on the previous command will be the time the ASA will wait before turn the connection down and rebuilding it with the new Primary interface,
Regards
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide