I hate that, I had to write my post three times because it kept timing out. Anyway, in regards to your answer, thank you for the post, I quickly went through it and that is the information I have found in the past to originally set this config up. The only issue I am facing is whenever the connection does switch any traffic headed out the backup link is not binding to the new address (let me explain better):

So lets say you have a web server at 192.168.1.3 and that is static natted to a static IP (lets call it static1) and that allows traffic to know that when it hits the T1 connection, the outside sees static1, well when it switches to the DSL link 192.168.1.3 needs to then be static natted to the DSL static IP (lets call this one static2 so now its switched to the DSL the outside users will only see the IP static2. That is the main issue I am having, I just want to see if my config is really performing this correctly. I have tried to implement this with the ACLs as shown here:

object network obj_any_T1
nat (inside,outside1) dynamic interface

object network obj_any_CableOne
nat (inside,outside2) dynamic interface

access-group 101_Outside1_access_in in interface Outside1
access-group 101_Outside2_access_in in interface Outside2

The same goes for the VPN, if you look down the config you will see several areas where I tried to force information to carry over to the backup link:

Under DHCP/DNS:

dhcpd auto_config outside1  <-------------------
dhcpd auto_config outside2  <-------------------

Under Crypto Maps:

crypto map RA-VPN interface outside1  <-------------------
crypto map RA-VPN interface outside2  <-------------------

crypto isakmp enable outside1   <-------------------
crypto isakmp enable outside2  <-------------------

What do you think? I know you mentioned in points 1 and 2 that it will work but is that because it automaticallty will or is it because the commands I mentioned above (looking for reassurance more than anything here if you cant tell)

Hi,

Well, both, the statics are needed in order to access the servers on both links and the crypto map is needed when it does failover to the other one. And you know what? I am starting to have second thoughts on the VPN. Once the ASA goes to the other link, clients may need to reconnect. I think there is an option on the VPN client where you can configure backup servers, but I am not quite sure.

The other stuff will work fine.

Cheers

Mike

Awesome, thank you. I am going to be configuring this today on the ASA, I will let you know how it goes.

Waiting on the Security Plus licensing currently, I will update you when I get that and can finish the config.

Excellent Vicky, I will standby.

Mike

Well still waiting on the Security Plus licensing stuff but just an update to the situation:

I went ahead and set the company up with their primary link and kept the backoff line turned off while I wait for the security Plus licensing. Also a change had to be made to the config, I had some issues and had to work around them. Also they wanted to have Cable One as the Primary link. I will link the config with the changes made:

Changes to note:

1. Cable One is now the primary link
2. I had to use the internal server IP address for the access-lists as it was not working with the external (I guess due to the 8.2(3) changes)
3. I did have the server with a different external IP to the outside interface of the firewall:

  Explanation:

  Cable One:
  IP Address range: 101.XXX.XXX.100 - XX.XXX.XXX.105
  Subnet Mask: 255.255.255.248
  Gateway: 101.XXX.XXX.1
 
  T1:
  IP Address range: 202.XXX.XXX.100 - XX.XXX.XXX.105
  Subnet Mask: 255.255.255.248
  Gateway: 202.XXX.XXX.1

I had the firewall (outside1) as lets say: 101.XXX.XXX.101 and the server as 101.XXX.XXX.102 for the primary link, then 202.XXX.XXX.101 for outside2 and 202.XXX.XXX.102 for the server on the secondary link. THis did not work so I had to use the firewall IP address and turn off all management on the outside (no management-access inside, no http 0.0.0.0 outside1, no http 0.0.0.0 outside2 ) so OWA (mail would work on HTTP/HTTPS)
I was not able to troubleshoot why this would not work before having to change it though in the future I would really prefer to NOT use the external IP of the ASA as the server. How do I do this? Which is best practice?

     4.  Obviously due to the above I had to talk ASDM off the external interface

     5.  Final issue I have is that if you get two A-records for this model (one for the server on the cableOne side and one for the T1 side) DNS would then have to "round Robin" meaning 50% of the time, you would have timeout issues. So long story short, I had to tell the client we would not do this and that we would make it so you can send but not recieve when on the secondary link. I think and ASA 5510 will be better for this implementation but I am half way in so lets carry on anyway.

-------------------------------------------------------------

---------------------  BASIC INFO  ---------------------

hostname ASA
domain-name domain.local
enable password encrypted
passwd encrypted
names

---------------------------------------------------------------- 
---------------------  INTERFACES  ---------------------

interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0

interface Vlan2
nameif outside1
security-level 0
ip address 101.XXX.XXX.102 255.255.255.248

interface Vlan3
nameif outside2
security-level 0
ip address 202.XXX.XXX.102 255.255.255.0

interface Ethernet0/0
switchport access vlan 2

interface Ethernet0/1
switchport access vlan 3

interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7

-------------------------------------------------------------

---------------------  BASIC INFO  ---------------------

ftp mode passive

clock timezone CST -6
clock summer-time CDT recurring

dns server-group DefaultDNS
domain-name domain.local

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

-------------------------------------------------------------------
-------------------  OBJECT GROUPS  --------------------

object network obj_any_T1
subnet 0.0.0.0 0.0.0.0

object network obj_any_CableOne
subnet 0.0.0.0 0.0.0.0

object network obj-vpnPool
subnet 10.100.0.0 255.255.255.0

object network obj-LANSubnet
subnet 192.168.101.0 255.255.255.0

object network SERVER01
host

object network SERVER02
host

object network SERVER03
host

object network SERVER04
host

object network SERVER05
host

object network SERVER06
host

----------------------------------------------------------------
-------------------  ACCESS LISTS  ---------------------

\\ SPLIT TUNNELING

access-list splittunnel extended permit ip 192.168.101.0 255.255.255.0

\\ STOP SMTP SPAMMERS INTERNALLY

access-list inside_access_out extended permit tcp host any eq smtp
access-list inside_access_out extended deny tcp any any eq smtp
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any

\\ OUTSIDE1
NOTE: Ended up having to refer to the server via its internal IP due to the 8.2(3) IOS changes

access-list 101_Outside1_access_in remark
access-list 101_Outside1_access_in extended permit tcp any host eq www
access-list 101_Outside1_access_in extended permit tcp any host eq smtp
access-list 101_Outside1_access_in extended permit tcp any host eq https

access-list 101_Outside1_access_in permit ip 10.100.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list 101_Outside1_access_in permit ip 192.168.101.0 255.255.255.0 10.100.0.0 255.255.255.0

\\ OUTSIDE2
NOTE: Ended up having to refer to the server via its internal IP due to the 8.2(3) IOS changes

access-list 101_Outside2_access_in remark
access-list 101_Outside2_access_in extended permit tcp any host eq www
access-list 101_Outside2_access_in extended permit tcp any host eq smtp
access-list 101_Outside2_access_in extended permit tcp any host eq https

access-list 101_Outside2_access_in permit ip 10.100.0.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list 101_Outside2_access_in permit ip 192.168.101.0 255.255.255.0 10.100.0.0 255.255.255.0

-------------------------------------------------------------

---------------------  BASIC INFO  ---------------------

pager lines 24

logging enable
logging asdm informational

mtu inside 1500
mtu outside1 1500
mtu outside2 1500

----------------------------------------------------------------
--------------------  VPN POOL INFO  -------------------

ip local pool vpnpool 10.100.0.50-10.100.0.100

-------------------------------------------------------------

---------------------  BASIC INFO  ---------------------

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin
no asdm history enable

arp timeout 14400

----------------------------------------------------------------------------------------
-----  APPLYING OBJECT GROUPS, NAT AND ACCESSLISTS -----

nat (inside,outside) source static obj-LANSubnet obj-LANSubnet destination static obj-vpnPool obj-vpnPool

object network obj_any_T1
nat (inside,outside1) dynamic interface

object network obj_any_CableOne
nat (inside,outside2) dynamic interface

\\ OUTSIDE1 (T1)

object network SERVER01
nat (inside,outside1) static interface service tcp smtp smtp

object network SERVER02
nat (inside,outside1) static interface service tcp www www

object network SERVER03
nat (inside,outside1) static interface service tcp https https

\\ OUTSIDE2 (CableOne)

object network SERVER04
nat (inside,outside2) static interface service tcp smtp smtp

object network SERVER05
nat (inside,outside2) static interface service tcp www www

object network SERVER06
nat (inside,outside2) static interface service tcp https https

access-group inside_access_out in interface inside

access-group 101_Outside1_access_in in interface Outside1
access-group 101_Outside2_access_in in interface Outside2

-------------------------------------------------------------
----------------------  ROUTES  ------------------------

route outside1 0.0.0.0 0.0.0.0 101.XXX.XXX.1 1 track 1
route outside2 0.0.0.0 0.0.0.0 202.XXX.XXX.1 255

-------------------------------------------------------------

---------------------  BASIC INFO  ---------------------

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

---------------------------------------------------------------
---------------------  AAA SERVER  ---------------------

aaa-server TACACS+ protocol tacacs+
aaa-server RA_SERVER_GROUP protocol radius
aaa-server LDAP_SERV_GROUP protocol ldap
aaa-server LDAP_SERV_GROUP (inside) host
ldap-base-dn dc=domain, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password
ldap-login-dn cn=Administrator, cn=Users, dc=domain, dc=local
server-type microsoft

aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL

-------------------------------------------------------------

---------------------  BASIC INFO  ---------------------

http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside1
http 0.0.0.0 0.0.0.0 outside2

no snmp-server location
no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

--------------------------------------------------------
------------  SLA MONITOR FOR ISP FAILOVER  ------------

sla monitor 1
type echo protocol ipIcmpEcho 4.2.2.2 interface outside1
num-packets 4
frequency 10

sla monitor schedule 1 life forever start-time now

service resetoutside

-----------------------------------------------------------------
---------------------  CRYPTO MAPS  --------------------

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map RA-VPN 1 set transform-set ESP-3DES-MD5
crypto dynamic-map RA-VPN 1 set security-association lifetime seconds 28800
crypto dynamic-map RA-VPN 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set reverse-route

crypto map RA-VPN 65535 ipsec-isakmp dynamic RA-VPN
crypto map RA-VPN interface outside1
crypto map RA-VPN interface outside2

crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside1
crypto isakmp enable outside2

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp nat-traversal 10
crypto isakmp ipsec-over-tcp port 1000

-------------------------------------------------------------
----------------------  FAILOVER  ----------------------

track 1 rtr 1 reachability

-----------------------------------------------------------------------
-----------------  TELNET/SSH/CONSOLE  -----------------

telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60

ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside1
ssh 0.0.0.0 0.0.0.0 outside2
ssh timeout 60

console timeout 0

management-access inside  <---------------- Had to take this out as server now uses firewall external IP

---------------------------------------------------------------
----------------------  DHCP/DNS  ----------------------

dhcpd dns 8.8.8.8
dhcpd lease 8400
dhcpd ping_timeout 750
dhcpd domain domain.local

dhcpd auto_config outside1
dhcpd auto_config outside2

dhcpd address 192.168.101.100-192.168.101.200 inside
dhcpd enable inside

-------------------------------------------------------------

---------------------  BASIC INFO  ---------------------

priority-queue inside
priority-queue outside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

------------------------------------------------------------------
---------------------  ANYCONNECT  ---------------------

webvpn
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 8.8.8.8
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnpool
default-domain value domain.local

------------------------------------------------------------------
--------------------  GROUP POLICYS  -------------------

group-policy ldapvpn internal
group-policy ldapvpn attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value domain.local

group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value domain.local

-----------------------------------------------------------------
---------------------  USERNAMES  ----------------------

username administrator password encrypted privilege 15
username UserExample password encrypted privilege 7

--------------------------------------------------------------------
--------------------  TUNNEL GROUPS  -------------------

tunnel-group RA-VPN type remote-access
tunnel-group remotevpn type remote-access
tunnel-group remotevpn general-attributes
address-pool vpnpool
authorization-server-group (outside) LOCAL
default-group-policy remotevpn

tunnel-group gcrenvpn ipsec-attributes
pre-shared-key

tunnel-group ldapvpn type remote-access
tunnel-group ldapvpn general-attributes
address-pool vpnpool
authentication-server-group LDAP_SERV_GROUP
default-group-policy ldapvpn

tunnel-group ldapvpn ipsec-attributes
pre-shared-key

-------------------------------------------------------------

---------------------  BASIC INFO  ---------------------

class-map inspection_default
match default-inspection-traffic

policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp

service-policy global_policy global
prompt hostname context
Cryptochecksum:f6e35e4741bf944d8f3d7fb5d2794655
: end