03-16-2020 06:49 AM
I recently setup a backup/fail-over ISP using this guide: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html
We now want to switch over to the backup ISP as the primary for all outgoing internet traffic. However we currently have several NATs setup for outside connections coming in over the current primary ISP, we would like to leave this setup as is so we don't have to re-address anything on the outside.
What's the easiest way to accomplish this? Is it as simple as changing the metrics in the routing table to make the secondary ISP the primary route and vice versa?
Thanks
03-16-2020 07:48 AM
Hi,
To prefer one ISP or the other, you play with the AD (Administrative Distance), not the metrics. If you have NAT enabled, when ISP fails, to avoid packet loss, use an EEM script to also clear your NAT table, look at example here:
If you have NAT configured into your ASA's outside interface for your public resources, you can leave that as it is, and all traffic in/out for those services would go out that ISP. If you want for your user's traffic (Internet access) to go via the second ISP, you make your default route to prefer the second ISP and configure NAT for your users out that interface.
Regards,
Cristian Matei.
03-16-2020 07:55 AM
Its hard if you have static NAT pointing outside to inside, If you rely on DNS, then you have new ISP Public IP also in your Public Manage DNS to Loadbalace.
for outgoing you can do with IPSLA Tracking and failover and clear the NAT table also.
good discussion here :
https://community.cisco.com/t5/routing/nat-timeout-for-failover-w-dual-isps/td-p/2442121
03-16-2020 08:53 AM
It just seems like it should be a easy change to accomplish this. The main NAT that's currently being utilized is a VPN Server that host 40-50 connections. Of course on the client end it's pointing to the outside IP (not DNS) of ISP1. That's why we thought it would be easier to just leave that setup the way it is and then just force all internal internet traffic out over ISP2. It would be a time consuming to change the IPs on all those VPN computers to the new ISP2 IP address.
03-16-2020 09:30 AM
Another Option if you would like to use other ISP, you can also PBR to route other traffic you like to use ISP 2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide