07-10-2011 11:19 PM - edited 03-04-2019 12:56 PM
Hey everyone,
We got 2 ISPs -------> two ASA 5520 Primary / secondary --------> LAN .
ASA is configured with ACL and Static NAT for our mail , web & ftp servers .
My question is how to configure the 2nd ISP on the ASA to auto switch to the 2nd ISP when the 1st is down with a backup static NAT and backup ACL for the new ISP , in other words how to configure a active static NAT and Backup Static NAT and ACL only for Exchange/Mail Server.
here is the example of our configuration where PIE is Primary ISP & EMC is Backup ISP.
Looking forward to your quick and positive response!
ASA Version 8.2(1)
!
hostname Corp-ASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
description LINK TO CORPORATE
nameif CORP
security-level 100
ip address 172.30.8.1 255.255.255.240 standby 172.30.8.2
!
interface GigabitEthernet0/1
description LINK TO PIE
nameif PIE
security-level 0
ip address x.x.x.x x.x.x.x standby x.x.x.x
!
interface GigabitEthernet0/2
description LINK TO EMC
nameif EMC
security-level 0
ip address x.x.x.x x.x.x.x standby x.x.x.x
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list INTERNET extended permit ip any any
access-list ICMP extended permit icmp any any
access-list ICMP extended permit ip any any
access-list EMAIL extended permit ip host172.30.10.50 any
access-list EMAIL extended permit icmp host 172.30.10.0 any
pager lines 24
mtu CORP 1500
mtu PIE 1500
mtu EMC 1500
failover
failover lan unit primary
failover lan interface FO GigabitEthernet0/3
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover key *****
failover replication http
failover link FO GigabitEthernet0/3
failover interface ip FO 10.0.0.1 255.0.0.0 standby 10.0.0.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (PIE) 1 interface
global (EMC) 1 interface
nat (CORP) 1 access-list INTERNET
access-group ICMP in interface PIE
access-group ICMP out interface PIE
access-group ICMP in interface EMC
access-group ICMP out interface EMC
!
router ospf 1
router-id 5.5.5.5
network 172.30.8.0 255.255.255.240 area 0
area 0 authentication message-digest
log-adj-changes
default-information originate
!
route PIE 0.0.0.0 0.0.0.0 x.x.x.x 1 track 1
route EMC 0.0.0.0 0.0.0.0 x.x.x.x 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho x.x.x.x interface PIE
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
track 1 rtr 1 reachability
telnet 0.0.0.0 0.0.0.0 CORP
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 PIE
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4b27304c57a7d17872c9fbce5250f4d2
: end
07-20-2011 05:59 AM
If I understand you correctly you have two different ISPs connected to two different interfaces on ASA, and then the same connections replicated again to a secondary/standby ASA. All traffic goes via ISP1 until there is a service failure, at which point traffic is routed via ISP2. I assume you have been provided different public IP ranges from each ISP.
I haven't tested this scenario but in principle it should work.
You would need to setup two NAT configurations, one for ISP1 on interface0/1, and one for ISP2 on interface0/2, and also configure the necessary ACLs. It looks like you've done this already.
Add a default route to ISP1 with a metric of 1. Add a default route to ISP2 with a metric higher than 1 (10 for example).
Configure IP SLA monitoring on the default route to ISP1. When the monitoring fails, the route to ISP1 will be removed from the routing table and the route to ISP2 will become the new default route. As traffic leaves interface0/2 it will be NAT'd to the IP addresses for ISP2.
Hope this helps,
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide