cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1151
Views
0
Helpful
1
Replies

Single ASA with two ISPs active-active, failover help

Alkemyst71
Level 1
Level 1

I am trying to figure out the best way to set this up on an ASA (9.6).


We want 10.0.1.0 to go out ISP1 unless it fails, then choose ISP2.

We want 10.0.2.0 to go out ISP2 unless it fails, then choose ISP1.

(This is for simplicity there are several networks)

 

Would this be the way (SLA for tracking not shown, but working):

object network obj_10.0.1.0_PRIMARY

 subnet 10.0.1.0 255.255.255.0

 description OFFICE_SUBNET

!

object network obj_10.0.2.0_PRIMARY

 subnet 10.0.2.0 255.255.255.0

 description VOICE_SUBNET

!

object network obj_10.0.1.0_SECONDARY

 subnet 10.0.1.0 255.255.255.0

 description OFFICE_SUBNET

!

object network obj_10.0.2.0_SECONDARY

 subnet 10.0.2.0 255.255.255.0

 description VOICE_SUBNET

!

route-map PRIORITY_ISP2 permit 20

 match ip address priority-ISP2

 set ip next-hop verify-availability [ISP2 IP] 1 track 1

 set ip next-hop verify-availability [ISP1 IP] 2 track 2

!

access-list priority-ISP2 extended permit ip object obj_10.0.1.0 any

access-list priority-ISP2 extended permit ip object obj_10.0.2.0 any

!

route outside 0.0.0.0 0.0.0.0 [ISP1 IP] 1 track 1

route isp3-outside 0.0.0.0 0.0.0.0 [ISP2 IP] 60 track 2

!

object-group network ISP1Primary

 network-object  obj_10.0.1.0_Primary

 network-object  obj_10.0.2.0_Secondary

nat (any,ISP1) after-auto source dynamic ISP1Primary interface

!

object-group network ISP2Primary

 network-object  obj_10.0.2.0_Primary

 network-object  obj_10.0.1.0_Secondary

nat (any,ISP2) after-auto source dynamic ISP2Primary interface

1 Reply 1

balaji.bandi
Hall of Fame
Hall of Fame

DUPLICATE POST

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Review Cisco Networking for a $25 gift card