cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

629
Views
0
Helpful
8
Replies
Andy White
Explorer

ASA and dual ISP config help

Hello,

We have 2 ASA 5520 firewalls working in active passive, below is the config for the outside interface.

I can't show the real IP's so have changed them to these:

1.2.3.66 - Primary public IP

1.2.3.67 - Standby public IP

ASA 5520

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.2.3.66 255.255.255.224 standby 1.2.3.67
ospf cost 10

Anyway we have a primary ISP internet line that we are using for our desktops internet access and Anyconnect VPNs and have a spare internet line doing nothing and we want to use it as a backup.  They are lines from different ISPs, but both lines can be used it seems since reading this:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

The problem is we don't have a spare physical port on the ASA.  The outside ports of the primary and standby ASAs go into a stack of 3750s, where the 2 ISP routers are in the same VLAN as the outside ASA ports.  So can I make the outside port on the ASA a sub interface as we don't have any spare ports for the ASA?

If so work do I need to do on the ASA and the 2 ports on the 3750s?  The 3750 stack looks like this:

interface GigabitEthernet1/0/1
description ASA Outside
switchport access vlan 1998
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/2
description ISP1
switchport access vlan 1998
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable

interface GigabitEthernet2/0/1
description ASA Outside
switchport access vlan 1998
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/2
description ISP2
switchport access vlan 1998
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable

Would interface GigabitEthernet1/0/1 and interface GigabitEthernet2/0/1 have to be trunk ports and allow VLANs 1998 and a new VLAN for the second ISP like 1999?

I'm not sure of the ASA config though assuming ISP2 is on 5.5.5.x

interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.1998
vlan 1998
nameif ????
security-level 0
ip address 1.2.3.66 255.255.255.224 standby 1.2.3.67

interface GigabitEthernet0/0.1999
vlan 1999
nameif ????
security-level 0
ip address 5.5.5.55 255.255.255.224 standby 5.5.5.56

Any example configs would be great, just something I've not tried before and it's an important line.  I could config 2 new trunk ports on the 3750s and just move the cables so it easy to roll back.

last part would be an SLA to failover.

Please help.

Thanks

8 REPLIES 8
Marvin Rhoads
VIP Community Legend

Yes - trunk ports on your outside switch and subinterfaces on the ASA should do what you want.

With that in mind, just follow the guide you mentioned in all other aspects.

You will need to make a backup first because making subinterfaces will mean "no nameif" of the parent physical interface which will automatically remove any associated sections such as access-group and NAT commands and other bits (such as binding certificates, webvpn etc.) which reference that nameif. Once you create the subinterface and assign the nameif you can then re-add those sections.

Of course this would be an outage and shoud be planned as such according to your local procedures.

Hello,

With Regards to the "nameif" on the sub-interfaces would I name the main line something like "outside" and the backup up line "backup".

We use the Cisco VPN client so it will no doubt cause issues with that?

Thanks 

You can name them anything that's useful to you - the name is only locally significant to the configuration.

But just keep in mind that anything in the current configuration that references the current nameif will need to be manually replaced. This is because as soon as you delete or change an existing interface nameif, all later parts of the configuration that reference it are deleted. Yes it's a bit of a clunky construct but it's been that way since the PIX days.

Specific to you current Cisco VPN client (used with IPsec remote access VPN), your current configuration will have something like "crypto isakmp enable outside" (among other bits). That will have to be re-entered.

Thanks - I was just hoping to call one of the new sub interfaces the same (outside) so little would be changed for the primary line and VPN and then look at the 'backup' nameif after.

Yes you can do that.

The problem it is won't let you assign the "outside" nameif to a new subinterface as long as it exists on the previous physical interface.

As soon as you remove it to eliminate that hurdle, the ripple effect through the rest of the configuration will happen and you have to do the re-entry.

Hmm sounds a bit scary.

The other option is to get a second router on the same public IP range from our ISP and use HSRP on the routers.

Or automate my manual process through something like Cisco Prime, I do this at the moment:

ASA

Conf t

 

interface GigabitEthernet0/0

 ip address 1.2.3.66 255.255.255.224 standby 1.2.3.67

 

 

route outside 0.0.0.0 0.0.0.0 1.2.3.66 1

Thanks.

So what should be the steps?  At the moment I will have to manually fail over to the backup line I simply do:

Change:

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 1.2.3.66 255.255.255.224 standby 1.2.3.66

 ospf cost 10

To: 

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address x.x.x.x 255.255.255.224 standby x.x.x.x (Backup ISP IP address)

 ospf cost 10

!

  

No route outside 0.0.0.0 0.0.0.0 1.2.3.66 1

 

Then

 

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 (Backup ISP IP router)

I was thinking of using a script to do this as we have Prime as I don't feel confident enough to do this myself.

Or changing the configs, something like this?

Steps:

  1. Configure 2 new ports on switches

Conf t

vlan 1999
Name PrimaryISP

vlan 1998
name backupISP

interface GigabitEthernet1/0/4
description Trunk to ASA1 Outside
switchport trunk allowed vlan 1998-1999
switchport mode trunk
spanning-tree portfast
spanning-tree bpduguard enable

interface GigabitEthernet2/0/4
description Trunk to ASA2 Outside
switchport trunk allowed vlan 1998-1999
switchport mode trunk
spanning-tree portfast
spanning-tree bpduguard enable

Then the ASAs

Current config (not real IPs):

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.2.3.66 255.255.255.224 standby 1.2.3.67
ospf cost 10

My steps

interface GigabitEthernet0/0
no nameif
no security-level
no ip address

interface GigabitEthernet0/2.1999
vlan 1999
nameif outside
security-level 0
ip address 1.2.3.66 255.255.224.0 standby 1.2.3.67

interface GigabitEthernet0/2.1998
vlan 1998
nameif outside
security-level 0
ip address x.x.x.x 255.255.224.0 standby x.x.x.x

Move cables from gig 0/0 on each ASA into 1/0/4 & 2/0/4

Add route outside 0.0.0.0 0.0.0.0 1.2.3.66 1

I have ann access list called access-list outside_access_in will this change?

As you mentioned the NATs too as below, do they all get removed?

nat (inside,outside) source static any any destination static NETWORK_OBJ_172.29.11.0_24 NETWORK_OBJ_172.29.11.0_24 no-proxy-arp route-lookup
nat (inside,outside) dynamic interface
nat (DMZ2,outside) dynamic interface
nat (DMZ3,outside) dynamic interface
nat (DMZ4,outside) dynamic interface
nat (outside,outside) dynamic interface
nat (DMZ1,outside) dynamic interface
nat (DMZ1,outside) static x.x.x.x
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.66 1
http x.x.40.0 255.255.255.0 outside
ssh x.x.40.0 255.255.255.0 outside
ssl trust-point Corp-TrustPoint-SSLVPN-AW outside
enable outside

Hello,

As previously mentioned, once you do "no nameif" on the G0/0 interface, you will lose all associated configurations for that nameif (e.g. NAT & ACLs). So you need to back those up.

As for your configuration steps, you can't have two interfaces with the same nameif. For simplicity, you can name G0/2.1998 and G0/2.1999 as outside1 and outside2 but it's up to you on what makes most sense.

Keep in mind that since you will have 2 outside nameifs,you're going to need to configure two separate ACLs, NATs, etc..

Edit: Also to make your backup ISP less preferably, you can set an AD of 254 within the static route statement. E.g. route outside2 0.0.0.0 0.0.0.0 x.x.x.x 254

Edit2: Refer to following link: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html. Granted it's not using sub-interfaces but the concepts are the same.

Create
Recognize Your Peers
Content for Community-Ad