Dual ISP failover ASA 5505 - Dinamic IP's

1389

Views

Helpful

Replies

HI Guys,

My Boss just got another ISP in the game, we have a brand new Vodafone 200MB circuit into the office and we also kept the old one, so at the moment we have 2 Isp providing internet to the company, obviously the boss wants to make site redundant so he would like to use the old circuit (secundary) in case the new circuit (primary goes down, both circuits are provided with dynamic IP's assigned, so I have gone trought this configuration I found online for the asa 5505 (just like the one we have):

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

The thing with this configuration is that ir forces you to put the default gateway of the currently assigned IP address you have been given by your ISP, so if the IP changes then the gateway will change as well and so traffic will not be forward to the new gateway but to the old one, is there any way of solving this on the ASA or will I need to put a router witch will get both links and then forward the traffic from the ASA to the router and the router will sort out the ISP redundancy.

Any help will be much appreciated.

Regards

Hugo Rosado

5 Replies 5

Hello, Hugo Rosado.

You can try line "dhcp client route track #" inside ISP interface at the ASA. You can also use line "dhcp client route distance #" to set a metric for the route from DHCP server.

Best Regards.

Hi AllerGen,

Thanks for your response, so at the moment I have 2 interface with internet, one interface is on standby (backup) and the other one is active (primary):

0.0.0.0 0.0.0.0 [1/0] via 89.115.0.1, VodafoneTrunk

At the moment if I loose power on the devices my default gateway will change, I cannot put my head arround if I applied the command dhcp client route track would resolve my gateway problems if I loose power and the default gateway changes.

Regards

Hugo Rosado

Hi.

Look at IP SLA technology. You can check access to some hosts at the internet and if your main ISP will stop to work the command "dhcp client route track #" inside the main interface tell to ASA to stop use this route. And by "dhcp client route distance #" you can set a better metric for the route from main ISP (for example "2" for main and "3" for backup). And while this route with better route exists (while track is up) ASA will use route to main ISP.

Best Regards.

Many thanks for your answer,

I still not getting my head around this

I have IP SLA configured on my firewall, the thing is when you configure IP SLA it asks you to configure a default gateway for the traffic, when I configure that default gateway its the gateway I have at the time but If i have a power failure my external IP will change and so will my default gateway.

Hi.

You can look at this guide as example of configuration: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/route_static.html#61801

As I see the Web interface can work only with static routes for a SLA (it want create lines for ip sla and for static routing but you need to configure only ip sla), but ASA uses only output interface for IP SLA at the configuration.

Best Regards.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide