hi Andrew,
Thank you again for your reply.
May I have one more question ?
I am configuring the failover for the two interfaces between router and left switch.
what I want is when the left switch's outside interface( connecting to router ) shut down,
then the inbound traffice should go this way, router -> right switch -> left ASA
outbound as well
and after I shut down the switch's interface (connecting to router),
connectivity situation,
host can ping router's backup interface(192.168.3.253) and 192.168.3.253 can ping 4.2.2.2,
while host can NOT ping 4.2.2.2
also, 192.168.3.253 can ping left firewall's 1/3 interface (192.168.3.1)
I think there is something wrong with my firewall configuration or router static route configuration.
so please help me when you are available.
This is my first time to configure IP SLA for backup static route.
correct me if I am wrong
Thanks in advance.
Router config :
…………..
interface GigabitEthernet0/0
description ISP circuit order 1-111111111111
ip address X.X.X.X 255.255.255.248
ip accounting output-packets
ip nat outside
ip nat enable
no ip virtual-reassembly
duplex full
speed 1000
media-type sfp
no negotiation auto
!
interface GigabitEthernet0/1
description uplink to main-1 interface g 1/0/12
ip address 192.168.2.253 255.255.255.0
ip accounting output-packets
ip nat inside
ip nat enable
no ip virtual-reassembly
duplex full
speed 1000
media-type sfp
no negotiation auto
standby 2 ip 192.168.2.254
standby 2 priority 110
standby 2 preempt
!
interface GigabitEthernet0/2
ip address 192.168.3.253 255.255.255.0
no ip redirects
duplex full
speed 1000
negotiation auto
standby 3 ip 192.168.3.254
standby 3 priority 110
standby 3 preempt
!
router eigrp 10
redistribute static
passive-interface GigabitEthernet0/0
network 192.168.2.0
network 192.168.3.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 X.X.X.X
ip route 10.1.0.0 255.255.0.0 192.168.2.1
ip route 10.1.20.0 255.255.255.0 192.168.2.13
no ip http server
!
ip dns server view-group aaaaaaa
ip dns server
ip nat pool mypool X.X.X.X X.X.X.X netmask 255.255.255.252
ip nat inside source list 1 pool mypool overload
!
logging alarm informational
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 10.1.33.0 0.0.0.255
!
control-plane
!
gatekeeper
shutdown
!
ASA config :
.....
interface GigabitEthernet0/3
description STATE Failover Interface
!
interface Management0/0
description LAN Failover Interface
management-only
!
interface GigabitEthernet1/0
media-type sfp
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/1
media-type sfp
nameif inside
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet1/2
media-type sfp
nameif inside-backup
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface GigabitEthernet1/3
media-type sfp
nameif outside-backup
security-level 0
ip address 192.168.3.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type AllowedICMP
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
icmp-object time-exceeded
access-list EXEMPT extended permit ip 192.168.4.0 255.255.255.0 any
access-list EXEMPT extended permit ip 10.1.0.0 255.255.0.0 any
access-list EXEMPT extended permit ip 192.168.5.0 255.255.255.0 any
access-list no-nat extended permit ip 10.1.0.0 255.255.0.0 host 0.0.0.0
access-list outside_access_in extended permit icmp any any object-group AllowedICMP
access-list outside_access_in extended permit ip host 192.168.2.253 any
access-list outside_access_in extended permit ip 192.168.2.0 255.255.255.0 any
access-list outside_access_in extended permit ip host 192.168.3.253 any
access-list outside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
…
failover
failover lan unit secondary
failover lan interface fobasic Management0/0
failover key *****
failover link fostate GigabitEthernet0/3
failover interface ip fobasic 192.168.200.1 255.255.255.0 standby 192.168.200.2
failover interface ip fostate 192.168.201.1 255.255.255.0 standby 192.168.201.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any echo-reply outside-backup
icmp permit any unreachable outside-backup
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside-backup) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group outside_access_in out interface outside
access-group outside_access_in in interface outside-backup
access-group outside_access_in out interface outside-backup
access-group EXEMPT in interface inside
access-group EXEMPT out interface inside
!
router eigrp 10
no auto-summary
network 192.168.2.0 255.255.255.0
network 192.168.3.0 255.255.255.0
network 192.168.4.0 255.255.255.0
network 192.168.5.0 255.255.255.0
redistribute static
!
route outside 0.0.0.0 0.0.0.0 192.168.2.253 1 track 20
route outside 0.0.0.0 0.0.0.0 192.168.3.253 22
……
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
track 1 rtr 123 reachability
……..
sla monitor 2
type echo protocol ipIcmpEcho 192.168.2.253 interface outside
sla monitor schedule 2 life forever start-time now
track 20 rtr 2 reachability
management-access inside
dhcpd dns x.x.x.x
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
…..
