Solved: Cisco asa5510

lawsuites · ‎03-18-2011

Hello,

We are going to backup internet for our firm. How would i configure that in asa5510.

For example Lets say interface Ethernet0/1 has the current internet connection that we are using right now.

Now would like to configure interface Ethernet0/3 for our new second internet so for any reason our current internet goes down then user will not feel downtime.

for example lets say new internet provider ip is 143.328.321.34(usable ip), 143.328.321.33 (deffault gatway), and 255.255.255.248 - Subnet Mask

We also have exchange and lets say local ip is 11.11.11.28 and will create reverse dns for this 143.328.321.34.

Following is the example current configs:

hostname ASA-MP

domain-name domain.com

name 11.11.11.28 Exchange2010

dns-guard

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 114.324.321.44 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 11.11.11.240 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

security-level 100

ip address 11.11.20.2 255.255.255.240

!

interface Ethernet0/3

nameif temp

security-level 0

no ip address

Pls help, thanks

Federico Coto Fajardo · ‎03-19-2011

Main interface E0
route outside 0 0 114.324.321.xxx 10 track 1

Backup interface E3
route backup 0 0 xxx.xxx.xxx.xxx 20 track 2

Configure SLA:

track 1 rtr 1 reachability

track 2 rtr 2 reachability

sla monitor 1
type echo protocol ipIcmpEcho x.x.x.x interface outside
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho y.y.y. interface backup
sla monitor schedule 2 life forever start-time now

Hope it helps.

Federico.

View solution in original post

Federico Coto Fajardo · ‎03-18-2011

Hi,

You can configure an internet connection on the ASA.

If using the outside interface, that interface will have the default gateway

route outside 0 0 x.x.x.x 10

Now, you can have another interface as backup

route backup 0 0 y.y.y.y 20

The above will work, but you also need SLA to track the state of the link in order for the ASA to be able to determine if one link is down to switch to the backup link and then switch back to the primary internet connection when it recovers.

Hope it helps.

Federico.

lawsuites · ‎03-18-2011

Thanks Federico,

Lets say i don't make SLA.

Can you give me the entries to configure the interface etherenet 3 for internet. I will plug the wire in interface 3 if our main internet goes down.

Also if i have to then how to do SLA?

thanks

Federico Coto Fajardo · ‎03-19-2011

Main interface E0
route outside 0 0 114.324.321.xxx 10 track 1

Backup interface E3
route backup 0 0 xxx.xxx.xxx.xxx 20 track 2

Configure SLA:

track 1 rtr 1 reachability

track 2 rtr 2 reachability

sla monitor 1
type echo protocol ipIcmpEcho x.x.x.x interface outside
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho y.y.y. interface backup
sla monitor schedule 2 life forever start-time now

Hope it helps.

Federico.

lawsuites · ‎03-21-2011

thanks:

lawsuites · ‎04-03-2011

..

lawsuites · ‎04-03-2011

Hello Federico,

After carefully reading your response i think i got it and understood where i was making mistake . I am going to do the following, can you please advise if this is correct:

global (backup) 1 interface

route outside 0 0 114.324.321.33 10 track 1

route backup 0 0 115.283.212.23 20 track 2

Configure SLA:

track 1 rtr 1 reachability

track 2 rtr 2 reachability

sla monitor 1
type echo protocol ipIcmpEcho 114.324.321.33 interface outside
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 212.23 20 interface backup
sla monitor schedule 2 life forever start-time now

Thank you very much for your time.

andamani · ‎03-21-2011

Hi Gurpreet,

To validate fredrico's configuration the following link gives the details of the SLA monitoring:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

lawsuites · ‎03-21-2011

thanks

lawsuites · ‎03-31-2011

Ok, finally got the back installed by 2nd ISP. Now i am ready to make these changes but would like to clear some question out before i do this.

Right now with current and primry we have only IP address that work for exchange reverse dns, remote desktop, has vpn connection to remote side and have postini spam filtering in asa5510.

If make changes that is recommend nothing else will break right? Also should pi also setup the backup as forward for remote deskto and postini filltering for exchange?

Thanks

sushil · ‎04-01-2011

Yes.Nothing will break.The ISP will run in active/passive.

If primary goes down only then backup will come into picture.

lawsuites · ‎04-02-2011

....

lawsuites · ‎04-04-2011

bump, pls help.