Solved: Re: configure dual isp for failover on asa 5505

TY08 · ‎12-05-2013

guys,

how do you configure firewall when one of the isps is dynamic? primary internet is static and secondary internet is dynamic

i setup 3 vlans, 2 outside vlans and 1 inside vlan. i specify route command for the outside vlan with the track, but i don't know how to setup route command for the dynamic ip. i also configure sla command. whenever the primay is not connected the secondary doesn't work, but i have no problem if connecting directly to with laptop.

let me know your thoughts.

thank you in advanced guys.

mumbles202 · ‎12-06-2013

Can you do something like this:

sla monitor 123

type echo protocol ipIcmpEcho 8.8.8.8 interface outside

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1 track 1

sla monitor 225

type echo protocol ipIcmpEcho 8.8.8.8 interface outsidebackup

num-packets 3

frequency 10

sla monitor schedule 225 life forever start-time now

track 2 rtr 225 reachability

interface Vlan3

nameif outsidebackup

dhcp client route track 2

dhcp client route distance 25

ip address dhcp setroute

View solution in original post

Julio Carvajal · ‎12-06-2013

Hello David,

Excellent, I did not tough about the DHCP client route option (Kudos to you )

Now, I would agree with your configuration except with the SLA 225.

I mean why would track the route through VLAN 3.

As soon as the ASA primary is back and running preemption will take place.

So the configuration you need as David suggested will be:

sla monitor 123

type echo protocol ipIcmpEcho 8.8.8.8 interface outside

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1 track 1

interface Vlan3

nameif outsidebackup

dhcp client route distance 25

ip address dhcp setroute

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-06-2013

Hello Tedy,

They provide you dynamic IP address for the outside interface ? Is that what you are saying?

or are you saying that there IP is dynamic?? cause they will need to provide you with a defined gateway IP for this to work.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

TY08 · ‎12-06-2013

Hi Julio,

Yes, they provide me with dynamic ip address. so it looks like this, I don't know how to make the route fail automatically since the second ISP is dynamic.

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

interface Vlan2

nameif outside

security-level 0

ip address 10.10.10.10 255.255.255.0

!

interface Vlan3

nameif outsidebackup

security-level 0

ip address dhcp setroute

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1 track 1

sla monitor 123

type echo protocol ipIcmpEcho 8.8.8.8 interface outsidebackup

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

Julio Carvajal · ‎12-06-2013

Hello Tedy,

The IP address you get is dynamic but can you talk to them about this implementation so they can let you know if it's possible to have the same default-gateway (their IP address) ??

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mumbles202 · ‎12-06-2013

Can you do something like this:

sla monitor 123

type echo protocol ipIcmpEcho 8.8.8.8 interface outside

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1 track 1

sla monitor 225

type echo protocol ipIcmpEcho 8.8.8.8 interface outsidebackup

num-packets 3

frequency 10

sla monitor schedule 225 life forever start-time now

track 2 rtr 225 reachability

interface Vlan3

nameif outsidebackup

dhcp client route track 2

dhcp client route distance 25

ip address dhcp setroute

Julio Carvajal · ‎12-06-2013

Hello David,

Excellent, I did not tough about the DHCP client route option (Kudos to you )

Now, I would agree with your configuration except with the SLA 225.

I mean why would track the route through VLAN 3.

As soon as the ASA primary is back and running preemption will take place.

So the configuration you need as David suggested will be:

sla monitor 123

type echo protocol ipIcmpEcho 8.8.8.8 interface outside

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1 track 1

interface Vlan3

nameif outsidebackup

dhcp client route distance 25

ip address dhcp setroute

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mumbles202 · ‎12-06-2013

Good point. I was thinking about a situation I worked on where I was using the dhcp address as a primary route out and then failed back to my static route.

TY08 · ‎12-06-2013

David and Julio,

Thank you for both your inputs. I will try your approach.

Julio Carvajal · ‎12-06-2013

Hello Tedy,

Excellent, in the mean time you can rate all of our answers,

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC