Tracking the outside interface of the ASA

nguyenvinnie · ‎08-13-2010

Is there a way I could track the "outside" interface (public ip) of the ASA from my core 6509? I know the ASA won't allow Ping to remote interface from inside network. TIA

Eric Boadu · ‎08-13-2010

Check out these links hope ii helps!

https://supportforums.cisco.com/docs/DOC-6114;jsessionid=AB591CDEAFF6B779924BAC90890BEF10.node0

http://www.plixer.com/files/netflow-on-the-asa-11-18-09.pdf

Thx,

Eric

Nagaraja Thanthry · ‎08-13-2010

Hello,

Are you trying to track the ISP connectivity? If that is the goal, then you

can track the ISP gateway rather than the outside interface IP. You are

correct in that the firewall will not allow you to ping the outside

interface IP from inside. Typically, you configure tracking for default

gateway.

Hope this helps.

Regards,

NT

nguyenvinnie · ‎08-16-2010

I'm trying to load balacing and failover of the Internet traffic from the 2 locations, see below.

Bldg A 6509------>ASA1------->ISP

Bldg B 6509------->ASA2------->ISP

Traffic destin to the Internet will be load balancing between the buildings, traffic from users in bldg A 1st packer will hit ASA1, 2nd packet will hit ASA2. If one of the ISP down traffic will be sending to the other only. Below is the conf on both 6509's 10.20.30.1 is the inside interface of the ASA2 and 10.20.4.1 is inside interface of the ASA2. ICMP is the technic used for tracking the interfaces. I'd like to find a way of tracking the ISP not the ASA.

ip route 0.0.0.0 0.0.0.0 10.20.30.1 track 124

ip route 0.0.0.0 0.0.0.0 10.20.4.1 track 123

ip route 10.20.30.0 255.255.255.0 10.20.30.1 permanent

ip route 10.20.4.0 255.255.255.0 10.20.4.1 permanent

ip sla 124

icmp-echo 10.20.30.1

ip sla schedule 124 life forever start-time now

ip sla 123

icmp-echo 10.20.4.1

ip sla schedule 124 life forever start-time now