cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
672
Views
3
Helpful
3
Replies

ASA route tracking & backup ACL

scott.bridges
Level 1
Level 1

I have an ASA 5505 with a T1 (outside, 1.1.1.1) as the primary route, then a DSL line (backup, 2.2.2.2) as secondary, all with LAN (inside, 192.168.1.1).

Right now it successfully injects the backup route if the outside goes down, then switches back over when the T1 comes back up. This is working fine.

My problem is that I have an Exchange Server (192.168.1.5, 192.168.1.6 secondary IP) living on the LAN and I need to be able to send/receive email traffic while the backup route is in place.

Another problem is that while I have multiple static IP's on the T1 side, I only have one on the DSL side.

I just created an access-list for the backup and put it in place. I'm going to show a couples lines of the config. Could someone please tell me if I have it correct?

access-list mainacl extended permit tcp any host 1.1.1.2 eq smtp

access-list backupacl extended permit tcp any host 2.2.2.2 eq smtp

static (inside,outside) 1.1.1.2 192.168.1.5 netmask 255.255.255.255

static (inside,backup) tcp interface smtp 192.168.1.6 smtp netmask 255.255.255.255

access-group mainacl in interface outside

access-group backupacl in interface backup

This is a live ASA so I haven't tested it yet. But assuming the T1 (outside) goes down and the DSL (backup) becomes live, should the above ACL kick in and all should work?

If so then I can adjust our hosted mail security to use the failover, also.

Thanks for any help or tips

3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

Your ACLs and statics look good. The biggest problem is with DNS/MX records.

Hope it helps.

Great. I was pretty sure the ACLs were correct, my worry was if this was possible.

I'm not sure of the mechanics of route tracking and if the backupacl would be valid if a different default route was injected.

So this setup sounds plausible? 'outside' goes down, 'backup' goes up, SMTP traffic still able to get through?

That's the goal.

Thanks

Yup, if everything is configured correctly :-)

Review Cisco Networking for a $25 gift card