Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
296
Views
0
Helpful
2
Replies

Tracked Route failover and inbound access-list rules

james bennett
Level 1
Level 1

‎07-07-2015 09:38 AM - edited ‎03-11-2019 11:13 PM

Hi,

I'm trying to configure some basic failover on my ASA 5512-x using Tracked Static Routes.  I have 2 static routes, one on my main Outside interface which is tracked and 1 static route on my outside_backup interface(not tracked).  Basically if I pull the cable out of the outside interface a route is injected that pushed all traffic out of the outside_backup interface. This is initiated when the tracked IP address on the route cannot be accessed(ping) and this works very well for outbound traffic.

 

When failover does occur I'd like to be able to also allow inbound access to some servers that are available when the main outside interface is up, things like an exchange server and some remote access.  The question I have is how can I achieve this?  I've started looking at creating objects for the servers that need access and using NAT to create them externally, essentially duplicating them and applying them via access rulkes to the outside_backup interface.

Is this the correct way to do it as I've also been looking at Route maps but think these will still need the duplicate network objects created as they just apply to ACLs.

Thanks

 

Labels:
0 Helpful
2 Replies 2

prateek.verma
Level 1
Level 1

‎07-07-2015 10:49 PM

Hi James,

 

Yes, you can duplicate the nat statements and access-list applied on outside interface and configure the same with outside_backup interface as well. For example:

 

If there is a nat rule:

object network obj-1.1.1.0

subnet 10.1.1.0 255.255.255.0

nat (inside, outside) dynamic interface

 

Make another nat statement like below:

object network obj-1.1.1.0-1

subnet 10.1.1.0 255.255.255.0

nat (inside, outside_backup) dynamic interface

Same goes with the access-list as well.

 

Please feel free to contact me in case of any query.

 

Regards,

 

Prateek Verma

0 Helpful

Puneesh Chhabra
Cisco Employee
Cisco Employee

‎07-07-2015 10:53 PM

Yes, you are correct

When failover occurs and you start receiving traffic on the BACKUP interface, you would require the accesss and NAT rules to be in place to forward traffic to the inside zone.

 

So, you would require duplicate rules for every server.

NAT Eg:

nat (inside,outside)

nat (inside,BACKUP)

 

Regards,

Puneesh

 

If you find the answer helpful, please mark it as correct so others can benefit from the discussion.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card