Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1526
Views
0
Helpful
4
Replies

Switch primary and backup ISP roles

tim829
Level 1
Level 1

‎03-16-2020 06:49 AM

I recently setup a backup/fail-over ISP using this guide: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

 

We now want to switch over to the backup ISP as the primary for all outgoing internet traffic. However we currently have several NATs setup for outside connections coming in over the current primary ISP, we would like to leave this setup as is so we don't have to re-address anything on the outside. 

 

What's the easiest way to accomplish this? Is it as simple as changing the metrics in the routing table to make the secondary ISP the primary route and vice versa? 

 

Thanks

0 Helpful
4 Replies 4

Cristian Matei
VIP Alumni
VIP Alumni

‎03-16-2020 07:48 AM

Hi,

    

    To prefer one ISP or the other, you play with the AD (Administrative Distance), not the metrics. If you have NAT enabled, when ISP fails, to avoid packet loss, use an EEM script to also clear your NAT table, look at example here: 

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118049-config-eem-00.html

  

  If you have NAT configured into your ASA's outside interface for your public resources, you can leave that as it is, and all traffic in/out for those services would go out that ISP. If you want for your user's traffic (Internet access) to go via the second ISP, you make your default route to prefer the second ISP and configure NAT for your users out that interface.

 

 

 

Regards,

Cristian Matei.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎03-16-2020 07:55 AM

Its hard if you have static NAT pointing outside to inside, If you rely on DNS, then you have new ISP Public IP also in your Public Manage DNS to Loadbalace.

 

for outgoing you can do with IPSLA Tracking and failover and clear the NAT table also.

 

good discussion here :

 

https://community.cisco.com/t5/routing/nat-timeout-for-failover-w-dual-isps/td-p/2442121

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

tim829
Level 1
Level 1
In response to balaji.bandi

‎03-16-2020 08:53 AM

It just seems like it should be a easy change to accomplish this. The main NAT that's currently being utilized is a VPN Server that host 40-50 connections. Of course on the client end it's pointing to the outside IP (not DNS) of ISP1. That's why we thought it would be easier to just leave that setup the way it is and then just force all internal internet traffic out over ISP2. It would be a time consuming to change the IPs on all those VPN computers to the new ISP2 IP address. 

 

 

 

 

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to tim829

‎03-16-2020 09:30 AM

Another Option if you would like to use other ISP, you can also PBR to route other traffic you like to use ISP 2

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card