Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1594
Views
0
Helpful
1
Replies

Dual ISPs in Cisco ASA 5520

CSCO11593588
Level 1
Level 1

‎07-10-2011 11:19 PM - edited ‎03-04-2019 12:56 PM

Hey everyone,

We got 2 ISPs -------> two ASA 5520 Primary / secondary --------> LAN .

ASA is configured with ACL and Static NAT for our mail , web & ftp servers .

My question is how to configure the 2nd ISP on the ASA to auto switch to the 2nd ISP when the 1st is down with a backup static NAT and backup ACL for the new ISP , in other words how to configure a active static NAT and Backup Static NAT and ACL only for Exchange/Mail Server.

here is the example of our configuration where PIE is Primary ISP & EMC is Backup ISP.

Looking forward to your quick and positive response!

ASA Version 8.2(1)

!

hostname Corp-ASA

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

description LINK TO CORPORATE

nameif CORP

security-level 100

ip address 172.30.8.1 255.255.255.240 standby 172.30.8.2

!

interface GigabitEthernet0/1

description LINK TO PIE

nameif PIE

security-level 0

ip address x.x.x.x x.x.x.x standby x.x.x.x

!

interface GigabitEthernet0/2

description LINK TO EMC

nameif EMC

security-level 0

ip address x.x.x.x x.x.x.x standby x.x.x.x

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

access-list INTERNET extended permit ip any any

access-list ICMP extended permit icmp any any

access-list ICMP extended permit ip any any

access-list EMAIL extended permit ip host172.30.10.50 any

access-list EMAIL extended permit icmp host 172.30.10.0 any

pager lines 24

mtu CORP 1500

mtu PIE 1500

mtu EMC 1500

failover

failover lan unit primary

failover lan interface FO GigabitEthernet0/3

failover polltime unit msec 200 holdtime msec 800

failover polltime interface msec 500 holdtime 5

failover key *****

failover replication http

failover link FO GigabitEthernet0/3

failover interface ip FO 10.0.0.1 255.0.0.0 standby 10.0.0.2

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (PIE) 1 interface

global (EMC) 1 interface

nat (CORP) 1 access-list INTERNET

access-group ICMP in interface PIE

access-group ICMP out interface PIE

access-group ICMP in interface EMC

access-group ICMP out interface EMC

!

router ospf 1

router-id 5.5.5.5

network 172.30.8.0 255.255.255.240 area 0

area 0 authentication message-digest

log-adj-changes

default-information originate

!

route PIE 0.0.0.0 0.0.0.0 x.x.x.x 1 track 1

route EMC 0.0.0.0 0.0.0.0 x.x.x.x 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 1

type echo protocol ipIcmpEcho x.x.x.x interface PIE

num-packets 3

frequency 10

sla monitor schedule 1 life forever start-time now

service resetoutside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

!

track 1 rtr 1 reachability

telnet 0.0.0.0 0.0.0.0 CORP

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 PIE

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username cisco password 3USUcOPFUiMCO4Jk encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:4b27304c57a7d17872c9fbce5250f4d2

: end

Labels:
0 Helpful
1 Reply 1

paulstone80
Level 3
Level 3

‎07-20-2011 05:59 AM

If I understand you correctly you have two different ISPs connected to two different interfaces on ASA, and then the same connections replicated again to a secondary/standby ASA. All traffic goes via ISP1 until there is a service failure, at which point traffic is routed via ISP2. I assume you have been provided different public IP ranges from each ISP.

I haven't tested this scenario but in principle it should work.

You would need to setup two NAT configurations, one for ISP1 on interface0/1, and one for ISP2 on interface0/2, and also configure the necessary ACLs. It looks like you've done this already.

Add a default route to ISP1 with a metric of 1. Add a default route to ISP2 with a metric higher than 1 (10 for example).

Configure IP SLA monitoring on the default route to ISP1. When the monitoring fails, the route to ISP1 will be removed from the routing table and the route to ISP2 will become the new default route. As traffic leaves interface0/2 it will be NAT'd to the IP addresses for ISP2.

Hope this helps,

Paul

HTH Paul ****Please rate useful posts****
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card