Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2341
Views
0
Helpful
5
Replies

ASA in HA, with different ISPs

Go to solution
Michael Bartholomæussen
Level 1
Level 1

‎08-14-2019 03:24 AM - edited ‎02-21-2020 09:24 AM

I'm configuring a pair of ASA into HA mode for failover. Active/Standby. But in this case, each ASA has a separate internet connection. ASA 1, with ISP A | ASA 2 with ISP 2. I know how to configure the ASAs into HA mode, but a bit uncertain about on how to configure the secondary ISP on the standby ASA.

 

Can somebody help me with this?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Michael Bartholomæussen

‎08-14-2019 04:21 AM

If I understand you correctly, ASA1 is only connected to ISP1 and ASA2 is only connected to ISP2?
When you say ASA in HA do you mean Active/Standby failover?

If yes, obviously the configuration is replicated between the 2 devices and there will be 1 interface down on each ASA. So you could connect a switch on the outside interfaces and then connect to the ISP, so at least both ISPs will be reachable on both interfaces on both ASA. Or potentially not monitor the interface on the respective ASA.

So when ISP1 fails and the ICMP probe fails, yes it will failover to ISP2.

HTH

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎08-14-2019 03:37 AM

Hi,
You can configure IP SLA to monitor the first ISP, in the event of failure failover to the 2nd ISP.

 

In the example below traffic uses ISP1 via OUTSIDE_1 interface until the icmp probe to 1.1.1.254 fails, it which point the default route is removed and the route via ISP2 is used for all traffic.

 

sla monitor 1
type echo protocol ipIcmpEcho 1.1.1.254 interface OUTSIDE_1
threshold 1
frequency 5
sla monitor schedule 1 life forever start-time now

track 1 rtr 1 reachability

route OUTSIDE_1 0.0.0.0 0.0.0.0 1.1.1.254 1 track 1
route OUTSIDE_2 0.0.0.0 0.0.0.0 2.2.2.254 100

You would need a dynamic NAT for each interface

 

nat (INSIDE,OUTSIDE_1) after-auto source dynamic any interface
nat (INSIDE,OUTSIDE_2) after-auto source dynamic any interface

You would obviously need the relevant ACL configured on the outside interfaces.

 

HTH

0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to Rob Ingram

‎08-14-2019 03:51 AM

What about the outside IP for the secondary ISP - how is that applied?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Michael Bartholomæussen

‎08-14-2019 03:57 AM

You would define the IP address and nameif on another interface, which is connected to the 2nd ISP.
0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to Rob Ingram

‎08-14-2019 04:10 AM

Okay, just to make sure I'm understanding this correctly. ASA 1, int 1, isp 1 + ASA 2 int 2, isp 2, everything configured on the active ASA.

 

Then when ASA 1 fails, it connects to the outside via int 2 on ASA 2. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Michael Bartholomæussen

‎08-14-2019 04:21 AM

If I understand you correctly, ASA1 is only connected to ISP1 and ASA2 is only connected to ISP2?
When you say ASA in HA do you mean Active/Standby failover?

If yes, obviously the configuration is replicated between the 2 devices and there will be 1 interface down on each ASA. So you could connect a switch on the outside interfaces and then connect to the ISP, so at least both ISPs will be reachable on both interfaces on both ASA. Or potentially not monitor the interface on the respective ASA.

So when ISP1 fails and the ICMP probe fails, yes it will failover to ISP2.

HTH
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card