11-15-2016 06:22 AM - edited 03-05-2019 07:28 AM
Hello,
I'm attempting to research ways to provide ISP redundancy for our network in a datacenter. Currently, we have one L2 hand-off from our ISP that goes into GigabitEthernet0/7 port of the primary firewall (Two ASA 5525-xs in an active/passive config), so this creates a single point of failure. I'd like to order a second ISP connection for backup. I'll more than likely put some switches in front of the ASAs so I can have 1 connection to each firewall from each ISP. My question is regarding this feasibility of this configuration and if I'm on the right track. I looked at doing BGP peering for this , but everywhere I've looked, it seems we are too "small" to do BGP peering since it would require us to have a least a /24 block to advertise, which at the moment I only get a /29 from my primary ISP.
Below I've provided a mock configuration of what the IP SLA would potentially look like on the primary firewall. I understand that IP SLA is more designed for outbound traffic redundancy, but I'm specifically looking to get this to work for inbound services, http/https, smtp, etc. I'll also likely require some DNS manipulation so that in the event ISP 1 goes down, the DNS records would start using records to ISP 2's IP addresses.
One big question I had was regarding my static NAT and object NATs. Is it possible to setup backup NATs that references the public IPs of ISP 2? In my mind, these NAT rules won't be used until there is a failure and we start using ISP 2's IP addresses.
interface GigabitEthernet0/7
nameif outside
security-level 0
ip address 38.x.x.240 255.255.255.242
interface GigabitEthernet0/x
nameif backup-isp
security-level 0
ip address x.x.x.x x.x.x.x
route outside 0.0.0.0. 0.0.0.0 38.x.x.242 1 track 1
route backup 0.0.0.0 0.0.0.0 x.x.x.x 254
sla monitor 123
type echo protocol ipIcmpEcho 38.x.x.241 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
Any feedback is greatly appreciated.
Thanks,
Kevin
11-15-2016 09:24 AM
Kevin,
I have been looking around for the equivalent of route maps for static NAT entries which would work in a failover scenario. So far, I haven't found anything similar. In IOS, it would look like this:
route-map static_to_ISP_1 permit 10
match interface GigabitEthernet0/7
route-map static_to_ISP_2 permit 10
match interface GigabitEthernet0/x
ip nat inside source static 192.168.10.2 38.x.x.242 route-map static_to_ISP_1
ip nat inside source static 192.168.10.2 x.x.x.x route-map static_to_ISP_2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide