07-13-2012 12:24 PM - edited 03-04-2019 04:57 PM
Dear Friends ,
Im trying to configure a cisco asa failover , here is my scenario .
OUTSIDE - 10.10.10.2 + DEFAULT ROUTE TO 10.10.10.1
BACKUP - 192.168.0.2 + DEFAULT ROUTE TO 192.168.0.1
INSIDE 172.16/12
In my OUTSIDE interface are all my firewall rules , the backup interface is rule empty , so when outside interface goes down i delete my backup interface and configure 192.168.0.2 in my outside interface and change default route to 192.168.0.1 , so i wont need to copy and paste the fw rules from my outside interface to my backup interface .
So is it possible to configure a failover with only 1 asa device ? And if so , how to i replicate my outside rules to the backup interface rules ?
Thanks in advance .
Solved! Go to Solution.
07-13-2012 01:47 PM
You will create two interface 1> outside & 2> Outside2 , apply the same access list on both the interface using access-group command, Now follow the instruction in the link below to set IP SLA on the asa so that the default routes switches automagically as well :-
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1057935
Note : The static Nat using ISP ip's from outside will not work when Outside2 becames active during a connection Failure.
Thank you
Manish
07-17-2012 06:17 PM
Hi Paulo,
The dynamic NAT rules can be adjusted in the following way to accomodate IPSLA failover, :-
global (inside) 1 interface
global (outside2) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
The above configuration will automatically change the external PAT ip address based on the active interface ip address.
The Static Nat will have issues, either you can create Two different static Nat using IPs from both providers or risk lossing traffic to the Static Nat devices. If you need that high level uptime than you should get your own IPs from ARIN , start doing BGP with two providers.
Manish
07-13-2012 01:47 PM
You will create two interface 1> outside & 2> Outside2 , apply the same access list on both the interface using access-group command, Now follow the instruction in the link below to set IP SLA on the asa so that the default routes switches automagically as well :-
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1057935
Note : The static Nat using ISP ip's from outside will not work when Outside2 becames active during a connection Failure.
Thank you
Manish
07-16-2012 05:31 AM
Thank you for your quick answer i'll try that .
07-17-2012 12:44 PM
Hey ,
I managed to get it to work , but what about my dynamic nat rule wich translate my inside address trough the outside interface , and my static nat rules also in my outside interface .
Thanks ,
07-17-2012 06:17 PM
Hi Paulo,
The dynamic NAT rules can be adjusted in the following way to accomodate IPSLA failover, :-
global (inside) 1 interface
global (outside2) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
The above configuration will automatically change the external PAT ip address based on the active interface ip address.
The Static Nat will have issues, either you can create Two different static Nat using IPs from both providers or risk lossing traffic to the Static Nat devices. If you need that high level uptime than you should get your own IPs from ARIN , start doing BGP with two providers.
Manish
07-23-2012 06:28 AM
Hey Manish ,
Thanks for your reply , i do have 3 netblocks /24 but they all came trough the same ISP but with different routes and i also need uptime , thanks for your configure example and the explanation .
Cheers ,
Paulo
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: