03-21-2011 09:33 AM - edited 03-11-2019 01:10 PM
One of my remote sites acquires Internet connectivity via a cable modem service. This goes down intermittently, of course. I would like to purchase DSL service from the local telco and configure the edge ASA (currently a 5505) to use the cable modem path normally ... and fall back to the DSL path if necessary.
These seems hard to do. The edge box would need to evaluate the viability of a WAN path using some set of tests ... perhaps pings to a handful of major Internet sites. If all those pings start failing, it would stall for a minute, to give the WAN service provider time to recover ... then cut over to the second path. Cutting to the second path might mean pushing new DNS server addresses to clients (or perhaps the edge box would hand out both sets of DNS servers all the time and rely on the clients to try them all.) Once the cable modem provider restored service, the edge box would stall for a while (ten minutes? an hour?) and then cut back.
I'm willing to replace the edge box with something fancier (a bigger ASA or something sold as a router or whatever), although I'd like to stay under 10K (list) for such a replacement.
Is this a solvable problem?
--sk
Stuart Kendrick
FHCRC
03-21-2011 09:58 AM
you can configure dual ISP on the ASA but this feature is mainly for outbound connectivity. Still you can work out the inbound traffic by using IPs from the new WAN link to allow traffic in to your servers. Like you said you would need some extra work for the DNS.
for the static NAT you could have something like these:
static (inside,OUTSIDE) 201.200.107.30 172.16.129.254 netmask 255.255.255.255
static (inside,NEWOUTSIDE) 186.90.90.10 172.16.129.254 netmask 255.255.255.255
03-21-2011 10:06 AM
Turns out I don't need to be concerned with inbound connectivity ... no servers hosted at this site, so the problem is relatively easy.
I see, effectively tracking static routes and failing over to a backup route if the primary becomes unavailable. The URL you sent doesn't work for me (Forbidden 403), but the following does:
http://www.cisco.com/en/US/customer/docs/security/asa/asa82/configuration/guide/route_static.html
Thanx,
--sk
03-21-2011 10:09 AM
you need to log in first to cisco's website.
Here is another link:
http://www.networkstraining.com/cisco-asa-5500-dual-isp-connection/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide