Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
0
Helpful
6
Replies

ASA - Simple manual WAN failover

Go to solution
alieas007
Level 1
Level 1

‎08-20-2013 06:51 AM - edited ‎03-11-2019 07:28 PM

Hello all.  I have recently started working with our ASA 5510 and have learned a lot in the past few weeks.  I most recently have updated our IOS from 7.0 to 8.22 and started setting up some QoS.

Our setup has two WAN's, (6.6.6.6 and 2.2.2.2).  2.2.2.2 is our newer ISP used for almost everything, 6.6.6.6 is the legacy ISP used for incoming connections (VPN, Testing Servers, etc). 

All I want to do is manually switch over a subnet to use the legacy ISP in case of an emergency, it doesn't need to be automated.  I thought that just changing the pointer on the "nat" statement from "30" to "10" on say the "wguest" network would push the wguest traffic out of the "outside" interface, but in reality I cannot get this to work.  After spending all day on this yesterday I am seeking some help.  Here is the pertinent information from the config.   Can anyone explain the procedure to change the "wguest" network to use the "outside" interface for WAN?  Thank you!

interface Ethernet0/0

nameif outside

security-level 0

ip address 6.6.6.6 255.255.255.0

!

interface Ethernet0/1

no nameif

security-level 100

no ip address

!

interface Ethernet0/1.1

vlan 3

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/1.2

vlan 10

nameif wguest

security-level 100

ip address 10.10.1.1 255.255.255.0

!

interface Ethernet0/1.3

vlan 11

nameif woffice

security-level 100

ip address 10.11.1.1 255.255.255.0

!

interface Ethernet0/2

nameif NewISP

security-level 100

ip address 2.2.2.2 255.255.255.0

global (outside) 10 interface

global (NewISP) 30 interface

nat (inside) 30 0.0.0.0 0.0.0.0

nat (wguest) 30 10.10.1.0 255.255.255.0

nat (woffice) 30 10.11.1.0 255.255.255.0

!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-20-2013 08:19 AM

Hi,

For outbound connections there are to my understanding a couple of options to handle choosing the ISP interface of the ASA.

The officially supported way is to use the Dual ISP where the Main ISP is active as long as the tracked active route is working. If not, it will fail to the other ISP. This essentially means that you can't have 2 default gateways active at the same time for the hosts on your LAN.

The unofficial way to to utilize 2 ISP links on ASA for outbound connections would be to use a newer software and use the NAT to manipulate the ASAs routing decision to mimic a PBR like operation (Policy Based Routing)

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame

‎08-20-2013 08:08 AM

Wrong forum, post in"Secuirty - Firewalling". You can move your posting with the Actions panel on the right.
0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-20-2013 08:19 AM

Hi,

For outbound connections there are to my understanding a couple of options to handle choosing the ISP interface of the ASA.

The officially supported way is to use the Dual ISP where the Main ISP is active as long as the tracked active route is working. If not, it will fail to the other ISP. This essentially means that you can't have 2 default gateways active at the same time for the hosts on your LAN.

The unofficial way to to utilize 2 ISP links on ASA for outbound connections would be to use a newer software and use the NAT to manipulate the ASAs routing decision to mimic a PBR like operation (Policy Based Routing)

- Jouni

0 Helpful

Go to solution
alieas007
Level 1
Level 1
In response to Jouni Forss

‎08-20-2013 12:51 PM

Jouni thank you for the reply.  For your "unofficial" solution do you mean a newer software than 8.22?   I think I will attempt the SLA tracked failover method tonight first and if that doesn't work I will try static routes for each subnet.   I will be sure to let you know the result, thanks again.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to alieas007

‎08-21-2013 02:29 AM

Hi,

Yes, using the NAT to manipulate a PBR type traffic forwarding would require a software level 8.3+ (preferably 8.4 and above)

Compared to 8.2 the NAT configuration format has completely changed. So you would need to learn the new NAT format.

If the firewall NAT configurations are simple the jump to the new software isnt that big of a deal. In some cases the move to the new software might actually enable you to considerably minimize the NAT configuration at the same time.

- Jouni

0 Helpful

Go to solution
alieas007
Level 1
Level 1
In response to Jouni Forss

‎08-21-2013 06:44 AM

Jouni, thank you for your assistance.  I set up the SLA track last night and it works perfectly, excellent solution!

0 Helpful

Go to solution
vishaw jasrotia
Level 1
Level 1
In response to alieas007

‎08-22-2013 01:35 AM

Hey Joe

Don't give the high securty level to ur new ISP interface.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card