07-09-2013 02:16 AM - edited 03-11-2019 07:09 PM
I'want to setup this scenario:
I've ASA 5510, and ethernet 0, is outside interface, and is connected to ISP01. IP address of Outside Interface is 1.1.1.1
I've ethernet 3 made as INSIDE, and is connected to internal LAN, its ip address: 10.1.1.1
on internal network, i've another ROUTER, that is connected to ISP02.
Router has LAN ip address 10.1.1.2 (so it is on the same subnet with INSIDE interface of firewall and LAN)
Now, i want to setup this sla monitorin on FIREWALL01 asa 5510, TO:
1. Default route to it's ISP01
2. To monitor an real ip address on internet, for example 8.8.8.8
3. If the connectivity to this IP address is lost, the Firewall to route all the default traffic via ROUTER, on it's ip 10.1.1.2
is this possible?
Regards!
07-09-2013 02:28 AM
Hi,
Doesnt seem to be the usual setup where the ASA directly would have 2 different interfaces connected to 2 different ISPs
The general configuration format for configuring IP SLA would be
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
num-packets
timeout
frequency
sla monitor schedule 1 life forever start-time now
You will also need a configuration related to the command "track"
track 1 rtr 1 reachability
route outside 0.0.0.0 0.0.0.0 1.1.1.x track 1
route inside 0.0.0.0 0.0.0.0 101.1.2 254
However, I think you will also require additional configurations.
You would need atleast "same-security-traffic permt intra-interface" because when the main ISP connection fails and the default route starts pointing towards the "inside" interface the traffic has to take a U-turn on the same interface of the ASA.
I kind of wonder the NAT setup also. Depending on your setup you might run into asymmetric routing where the ASA would first forward traffic to the ISP2 router and when the return traffic to that connection comes from the ISP2 and passes the router to your LAN network, then depending your setup, the traffic might be forwarded directly to the hosts without passing the ASA at all. This would make the ASA block these connections from every forming.
Essentially to make sure that the ASA sees all these connections you would have to configure Dynamic PAT also for the traffic that is entering the "inside" and leaving through the "inside" towards the ISP2 connection. You would have to use the ASA "inside" interface IP address as the PAT IP address to make sure that the return traffic gets passed back through the ASA and for the connections to succeed.
Naturally TCP State Bypass would be an alternative but I wouldnt suggest it.
If I understood you correctly you also had some other "inside" interfaces on the ASA. I am not sure if these require any NAT in this case as the ASA needs to be "crossed" to reach those "inside" networks. EDIT: It seems to me you were referring to the Ethernet3 port rather than 3 inside interfaces?
A picture of the topolocy would certainly clear things up IF the above things I listed arent true about your setup.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
07-09-2013 02:49 AM
Hi JouniForss!
In attach find the picture of the scenario>
let me know if it is clear, and where else i've to pay attention.
Regards!
07-09-2013 03:00 AM
Hi,
So are you simply testing the setup on GNS3 (or whatever the software was named) or are you planning to implement this in an actual network?
Naturally the simplest way to implement this with ASA would be to have the 2 ISPs directly connected to the same ASA so there would be no need to forward traffic back and forth through the "inside" interface of the ASA.
In our cases we handle 2 ISP setups on Cisco routers and never do them on the ASAs so I have very little expirience of the Dual ISP setup on the ASAs. Mostly tested them with some ASAs but we dont implement them for customers with ASA firewalls alone.
- Jouni
07-09-2013 03:05 AM
Hi there!
i'm not testing, but i want to implement.
And the quicker way to draw the picture, is to use GNS3.
Also, keep in mind that ASA1 and ASA2, are in two different site, but are connected with each other via fiber optic. So one asa firewall will be on on site, the other on second site.
So i could not put directly two different ISP to same ASA, becase they are physically separated.
Hope it is clear.
Regards!
07-09-2013 03:18 AM
Hi,
Naturally that makes it more clear. I had no idea we are talking about 2 different sites.
I guess it shouldnt really change the original setup.
When we consider the normal situation where the ISP1 is in use on this site where we are configuring IP SLA then naturally you probably already have all the needed ACL, NAT and routing configurations in place so that connections work.
When adding the backup route you have the make sure atleast the following things (some of which I have already meantioned)
I am not sure if theres something else. I would imagine that the NAT configurations and ACLs are already in order at the second ISP site so that they dont need to be modified to make this possible.
The main thing to me would seem to be issuing the mention command (if not already present) and configuring the Dynamic PAT from "inside" to "inside" using the "inside" interface IP address as the PAT IP address to make sure that the traffic from the 2nd ISP ASA will head to the other ASA before going to the hosts. Otherwise you will run into problems with asymmetric routing that will essentially prevent connectivity through the secondary ISP.
In general if you have a basic Dynamic PAT configured like this on the ASA
global (outside) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0
Then the only thing that needs to be added for the "inside" to "inside" Dynamic PAT is the following command
global (inside) 1 interface
Hope this helps
- Jouni
07-09-2013 03:25 AM
Hi JouniForss!
I'll allow same-security-traffic permit intra-interface
At least, this is the way, i've designed still now.
if there is a better way to accomplish this, let me know.
Don't forget that two firewalls are on to separated Sites.
Regards!
07-09-2013 03:56 AM
Hi,
I guess there would be other ways to do this but considering the existing devices and if they are to be used I dont know if there is many other ways to do this without changing the setup.
We host most of our firewall services on our datacenters and provide the customer fiber/copper connections to the site and between the sites and we usually handle all the routing and firewall for the customer. I have not implemented this kind of setup before.
Please do remember to mark a reply as the correct answer or rate helpfull answers.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide