cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
595
Views
0
Helpful
5
Replies
Highlighted
Beginner

ASA Failover

Dear Friends ,

Im trying to configure a cisco asa failover , here is my scenario .

OUTSIDE - 10.10.10.2 + DEFAULT ROUTE TO 10.10.10.1

BACKUP -  192.168.0.2 + DEFAULT ROUTE TO 192.168.0.1

INSIDE 172.16/12

In my OUTSIDE interface are all my firewall rules , the backup interface is rule empty , so when outside interface goes down i delete my backup interface and configure 192.168.0.2 in my outside interface and change default route to 192.168.0.1 , so i wont need to copy and paste the fw rules from my outside interface to my backup interface .

So is it possible to configure a failover with only 1 asa device ? And if so , how to i replicate my outside rules to the backup interface rules ?

Thanks in advance .

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Frequent Contributor

You will create two interface 1> outside & 2> Outside2 , apply the same access list on both the interface using access-group command, Now follow the instruction in the link below to set IP SLA on the asa so that the default routes switches automagically as well :-

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1057935

Note : The static Nat using ISP ip's from outside will not work when Outside2 becames active during a connection Failure.

Thank you

Manish

View solution in original post

Highlighted

Hi Paulo,

The dynamic NAT rules can be adjusted in the following way to accomodate IPSLA failover, :-

global (inside) 1 interface

global (outside2) 1 interface

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

The above configuration will automatically change the external PAT ip address based on the active interface ip address.

The Static Nat will have issues, either you can create Two different static Nat using IPs from both providers or risk lossing traffic to the Static Nat devices. If you need that high level uptime than you should get your own IPs from ARIN , start doing BGP with two providers.

Manish

View solution in original post

5 REPLIES 5
Highlighted
Frequent Contributor

You will create two interface 1> outside & 2> Outside2 , apply the same access list on both the interface using access-group command, Now follow the instruction in the link below to set IP SLA on the asa so that the default routes switches automagically as well :-

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1057935

Note : The static Nat using ISP ip's from outside will not work when Outside2 becames active during a connection Failure.

Thank you

Manish

View solution in original post

Highlighted

Thank you for your quick answer i'll try that .

Highlighted

Hey ,

I managed to get it to work , but what about my dynamic nat rule wich translate my inside address trough the outside interface , and my static nat rules also in my outside interface .

Thanks ,

Highlighted

Hi Paulo,

The dynamic NAT rules can be adjusted in the following way to accomodate IPSLA failover, :-

global (inside) 1 interface

global (outside2) 1 interface

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

The above configuration will automatically change the external PAT ip address based on the active interface ip address.

The Static Nat will have issues, either you can create Two different static Nat using IPs from both providers or risk lossing traffic to the Static Nat devices. If you need that high level uptime than you should get your own IPs from ARIN , start doing BGP with two providers.

Manish

View solution in original post

Highlighted

Hey Manish ,

Thanks for your reply , i do have 3 netblocks /24 but they all came trough the same ISP but with different routes and i also need uptime , thanks for your configure example and the explanation .

Cheers ,

Paulo