07-13-2012 12:24 PM - edited 03-04-2019 04:57 PM
Dear Friends ,
Im trying to configure a cisco asa failover , here is my scenario .
OUTSIDE - 10.10.10.2 + DEFAULT ROUTE TO 10.10.10.1
BACKUP - 192.168.0.2 + DEFAULT ROUTE TO 192.168.0.1
INSIDE 172.16/12
In my OUTSIDE interface are all my firewall rules , the backup interface is rule empty , so when outside interface goes down i delete my backup interface and configure 192.168.0.2 in my outside interface and change default route to 192.168.0.1 , so i wont need to copy and paste the fw rules from my outside interface to my backup interface .
So is it possible to configure a failover with only 1 asa device ? And if so , how to i replicate my outside rules to the backup interface rules ?
Thanks in advance .
Solved! Go to Solution.
07-13-2012 01:47 PM
You will create two interface 1> outside & 2> Outside2 , apply the same access list on both the interface using access-group command, Now follow the instruction in the link below to set IP SLA on the asa so that the default routes switches automagically as well :-
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1057935
Note : The static Nat using ISP ip's from outside will not work when Outside2 becames active during a connection Failure.
Thank you
Manish
07-17-2012 06:17 PM
Hi Paulo,
The dynamic NAT rules can be adjusted in the following way to accomodate IPSLA failover, :-
global (inside) 1 interface
global (outside2) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
The above configuration will automatically change the external PAT ip address based on the active interface ip address.
The Static Nat will have issues, either you can create Two different static Nat using IPs from both providers or risk lossing traffic to the Static Nat devices. If you need that high level uptime than you should get your own IPs from ARIN , start doing BGP with two providers.
Manish
07-13-2012 01:47 PM
You will create two interface 1> outside & 2> Outside2 , apply the same access list on both the interface using access-group command, Now follow the instruction in the link below to set IP SLA on the asa so that the default routes switches automagically as well :-
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1057935
Note : The static Nat using ISP ip's from outside will not work when Outside2 becames active during a connection Failure.
Thank you
Manish
07-16-2012 05:31 AM
Thank you for your quick answer i'll try that .
07-17-2012 12:44 PM
Hey ,
I managed to get it to work , but what about my dynamic nat rule wich translate my inside address trough the outside interface , and my static nat rules also in my outside interface .
Thanks ,
07-17-2012 06:17 PM
Hi Paulo,
The dynamic NAT rules can be adjusted in the following way to accomodate IPSLA failover, :-
global (inside) 1 interface
global (outside2) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
The above configuration will automatically change the external PAT ip address based on the active interface ip address.
The Static Nat will have issues, either you can create Two different static Nat using IPs from both providers or risk lossing traffic to the Static Nat devices. If you need that high level uptime than you should get your own IPs from ARIN , start doing BGP with two providers.
Manish
07-23-2012 06:28 AM
Hey Manish ,
Thanks for your reply , i do have 3 netblocks /24 but they all came trough the same ISP but with different routes and i also need uptime , thanks for your configure example and the explanation .
Cheers ,
Paulo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide