Firewall internet failover setup

vinayak-nayak · ‎01-15-2020

Hi all,

I am not sure if a failover can be achieved in such a static setup. The scenario is as follows:

Subnets A to G are internal and go through ISP link 1. There is a Zscalerredirect filter applied to the LAN interface of the firewall that picks these internal subnets and causes them to take exit point (ISP link 1) as per the custom routing table to traverse to Zscaler.

Subnets H to L are public subnets and go through ISP link 2. There is Publicredirect filter that causes these subnets to take exit point (ISP link 2) as per the custom routing table to direct egress to internet. (This filter is NOT applied to LAN interface of firewall). The internal and public subnets are in the same major class network i.e 10.0.0.0/8.

In both these routing tables exit hop to ISP Link 1 and ISP Link 2 is setup as below

Routing table Internal
primary exit path >>> ISP Link 1
backup exit path >>> ISP Link 2

Routing table Public
primary exit path >>> ISP Link 2
backup exit path >>> ISP Link 1

Is there a way to achieve automatic failover provided that there is static routing tables already setup for these two different classes of INTERNAL and PUBLIC subnets ?

Note : There is no dynamic routing protocol used, the setup of routing table entries is all static..

The physical setup is very typical as below:
Single LAN connection on gig interface of the firewall and ISP link 1 on port 1 and ISP link 2 on port 2 respectively.

Thanks in advance for your help !

balaji.bandi · ‎01-15-2020

Highlevel You can achieve with IP SLA tracking and failover :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

We need to know where Zscaler routing takes place? any high level diagram will help to understand better.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help