Re: Cisco 5510 ISP backup

lawsuites · ‎04-06-2011

Hello everyone,

I would like to setup backup ISP in our ASA5510. Right now the the firewall has for defualt gateway following command:

"route outside 0.0.0.0 0.0.0.0 114.324.321.33 1" i am changing this to

route outside 0.0.0.0 0.0.0.0 114.324.321.33 10 track 1 ...so i can setup sla monitoring

As soon as i do the above command and remove the orignal "route outside 0.0.0.0 0.0.0.0 114.324.321.33 1" from asa then internet connection drops.

Right now asa interface Ethernet0/0 has main isp configured and configuring interface Ethernet0/3 as backup.

interface Ethernet0/3
nameif backup
security-level 0
ip address 114.324.321.34 255.255.255.252
no shut
global (backup) 1 interface

route outside 0.0.0.0 0.0.0.0 114.324.321.33 10 track 1 ( Right now in firewall i have" route outside 0.0.0.0 0.0.0.0 114.324.321.33 1 " )

route backup 0.0.0.0 0.0.0.0 115.283.212.23 20 track 2

track 1 rtr 1 reachability

track 2 rtr 2 reachability

sla monitor 1
type echo protocol ipIcmpEcho 114.324.321.33 interface outside
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 115.283.212.23 interface backup
sla monitor schedule 2 life forever start-time now

----------------------------------------

Also our firewall has site to site vpn and 1 main ip configured for exchange and remote access.

KARUPPUCHAMY MALAIYANDI · ‎04-06-2011

Hi,

ASA/PIX wont allow us to configure default route with same AD.

You can increase the AD value for the backup default route and apply the TRACK in the primary default route.

Also no need to apply the track to backup default route.

Updated configuration:-

interface Ethernet0/3
nameif backup
security-level 0
ip address 114.324.321.34 255.255.255.252
no shut

global (backup) 1 interface
route outside 0.0.0.0 0.0.0.0 114.324.321.33 1 track 1
route backup 0.0.0.0 0.0.0.0 115.283.212.23 254

track 1 rtr 1 reachability

sla monitor 1
type echo protocol ipIcmpEcho 114.324.321.33 interface outside
sla monitor schedule 1 life forever start-time now

Thanks

Karuppu

lawsuites · ‎04-06-2011

Karuppu, thanks for the quick response, will try that and let you know.

lawsuites · ‎04-07-2011

As soon as i took out "route outside 0.0.0.0 0.0.0.0 173.251.14.33 1" this and added " route outside 0.0.0.0 0.0.0.0 173.251.14.33 1 track 1" internet went down.

Let me give you more information how our isp gateway is setup:

global (outside) 1 interface
nat (inside) 0 access-list HOME-REMOTENONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Exchange2010 smtp netmask 255.255.255
.255
static (inside,outside) tcp interface https Exchange2010 https netmask 255.255.2
55.255
static (inside,outside) tcp interface 3389 10.10.10.203389 netmask 255.255.255.2
55
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 114.324.321.33 1
route inside 10.10.4.0 255.255.255.0 10.10.4.1 1
route inside 10.10.5.0 255.255.255.0 10.10.5.1 1
route inside 10.10.6.0 255.255.255.0 10.10.6.1 1
route inside 10.10.7.0 255.255.255.0 10.10.7.1 1
route inside 10.10.8.0 255.255.255.0 10.10.8.1 1
route inside 10.10.9.0 255.255.255.0 10.10.9.1 1

Pls help, thanks.

lawsuites · ‎04-13-2011

any advise on this, pls.