Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
684
Views
0
Helpful
2
Replies

Configuring Traffic Zone on ASA

SIMMN
Spotlight
Spotlight

‎03-01-2017 05:43 AM - edited ‎03-12-2019 01:59 AM

I have dual-ISP connection (failover) at the edge of campus network. We are setting up the new ASA with multiple contexts. Since IP SLA is not supported under multiple context mode, we are trying to go with Traffic Zone feature to maintain the Dual-ISP failover functionality. However the confusion is: there is no configurable option to tweak for a better predictability of how the failover would work with zones...

Here is a picture stolen from configure guide that represents the setup (we only have two ISPs instead of four in the diagram).

http://www.cisco.com/c/dam/en/us/td/i/300001-400000/370001-380000/373001-374000/373595.eps/_jcr_content/renditions/373595.jpg

So questions:

1. If one ISP failed, say the medium between ASA and ISP CE failed, how does ASA detect the failover for switchover? 

2. For outbound NAT, how to NAT to individual IP addresses from each ISP dynamically? Say I have one /24 subnet on LAN and one /24 subnet on DMZ need to be NATed when sending traffic through ASA to Internet. 

object network LAN1-NAT-ISP1
subnet 10.18.0.0 255.255.255.0

object network DMZ-NAT-ISP1
subnet 172.16.0.0 255.255.255.0

object network LAN1-NAT-ISP2
subnet 10.18.0.0 255.255.255.0

object network DMZ-NAT-ISP2
subnet 172.16.0.0 255.255.255.0

Option#1, do dynamic PAT Pool:

object network ISP1-NAT-1
host 205.101.27.126

object network ISP1-NAT-2
host 205.101.27.127

object-group network ISP1-NAT-Pool
network-object object ISP1-NAT-1
network-object object ISP1-NAT-2

object network LAN1-NAT-ISP1
nat (Inside,any) dynamic pat-pool ISP1-NAT-Pool
object network LAN1-NAT-ISP2
nat (Inside,any) dynamic 18.195.59.126
object network DMZ-NAT-ISP1
nat (DMZ,any) dynamic pat-pool ISP1-NAT-Pool
object network DMZ-NAT-ISP2
nat (DMZ,any) dynamic 18.195.59.126

Option#2, do a simple dynamic PAT to non-interface address

object network LAN1-NAT-ISP1
nat (Inside,any) dynamic 205.101.27.126
object network LAN1-NAT-ISP2
nat (Inside,any) dynamic 18.195.59.126
object network DMZ-NAT-ISP1
nat (DMZ,any) dynamic 205.101.27.126
object network DMZ-NAT-ISP2
nat (DMZ,any) dynamic 18.195.59.126

3. If above commands are correct for the setup, then why ASA complains "WARNING: Pool (205.101.27.126) overlap with existing pool."? Does this mean ASA wont be able to smartly forward traffic outbound for NAT?

4. If the above commands are correct for the setup, then again as question#1, how does the firewall decide which ISP to use?

Wish there is some kinda whitepaper OR tac document to better explain this...

Thanks,

/S

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎03-01-2017 06:55 PM

If you are going to go with multi-context mode (can you get rid of this) then I think you will need a dynamic routing protocol with each ISP link.

0 Helpful

SIMMN
Spotlight
Spotlight
In response to Philip D'Ath

‎03-01-2017 08:09 PM

No, cannot get rid of context. Even I did, dynamic routing does not solve NAT and fail over. Plus barely any isp would peer with customer for NON-bgp.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card