ASA 5512 Tracked Route SLA

james bennett · ‎07-07-2015

Hi,

I'm trying to configure some basic failover on my ASA 5512-x using Tracked Static Routes. I have 2 static routes, one on my main Outside interface which is tracked and 1 static route on my outside_backup interface(not tracked). Basically if I pull the cable out of the outside interface a route is injected that pushed all traffic out of the outside_backup interface. This is initiated when the tracked IP address on the route cannot be accessed(ping) and this works very well for outbound traffic.

When failover does occur I'd like to be able to also allow inbound access to some servers that are available when the main outside interface is up, things like an exchange server and some remote access. The question I have is how can I achieve this? I've started looking at creating objects for the servers that need access and using NAT to create them externally, essentially duplicating them and applying them via access rulkes to the outside_backup interface.

Is this the correct way to do it as I've also been looking at Route maps but think these will still need the duplicate network objects created as they just apply to ACLs.

Thanks

Carlos Amador · ‎07-08-2015

Hi James,

that is in fact the way to do it. You will have to mirror what you have on your main ISP connection to the backup (NAT's and ACL's and external access to the ASA if needed). Things like an Exchange might be complicated because you will have to register on the MX record the new IP address and for external webservers as long as you have upstream DNS resolution to the back up address as well, it should be fine

Regards