Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
0
Helpful
1
Replies

ASA with two internet connections

Go to solution
v.duee
Level 1
Level 1

‎05-14-2013 01:24 AM

Hi,

i want to connect a ASA with two ISPs one for internet traffic one for S2S VPN, there is a dedicatet VPN router on the second link.

In case of an outage of the first link the second shall be active. 

route outside 0.0.0.0 0.0.0.0 10.20.20.1 1 track 1route backup 0.0.0.0 0.0.0.0 10.20.30.1 254
route backup 192.168.0.0 255.255.0.0 10.20.30.1

Is this configuration working??
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-14-2013 01:41 AM

Hi,

You will have to configure the "sla monitor" configuration to monitor some destination IP address on the main ISP for the ASA to determine if the connection is working or not. Probably some IP address on the public network.

sla monitor 1

type echo protocol ipIcmpEcho interface outside

num-packets

timeout

frequency

sla monitor schedule 1 life forever start-time now

You will also need a configuration related to the command "track"

track 1 rtr 1 reachability

route outside 0.0.0.0 0.0.0.0 10.20.20.1 track 1

route backup 0.0.0.0 0.0.0.0 10.20.30.1 254

The above combined with the routes you mention should be enough regarding the routing. Naturally for every remote L2L VPN network you will always need a specific static route on the ASA towards the backup ISP device.

Also you naturally need to handle the translations on the ASA. Seems both of your ISP links have a separate device in front which holds the public IP addresses. So am I correct to assume you are passing all traffic from the LAN links to the ISP links through the ASA without any kind of NAT and let those routers handle the private to public NAT?

- Jouni

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-14-2013 01:41 AM

Hi,

You will have to configure the "sla monitor" configuration to monitor some destination IP address on the main ISP for the ASA to determine if the connection is working or not. Probably some IP address on the public network.

sla monitor 1

type echo protocol ipIcmpEcho interface outside

num-packets

timeout

frequency

sla monitor schedule 1 life forever start-time now

You will also need a configuration related to the command "track"

track 1 rtr 1 reachability

route outside 0.0.0.0 0.0.0.0 10.20.20.1 track 1

route backup 0.0.0.0 0.0.0.0 10.20.30.1 254

The above combined with the routes you mention should be enough regarding the routing. Naturally for every remote L2L VPN network you will always need a specific static route on the ASA towards the backup ISP device.

Also you naturally need to handle the translations on the ASA. Seems both of your ISP links have a separate device in front which holds the public IP addresses. So am I correct to assume you are passing all traffic from the LAN links to the ISP links through the ASA without any kind of NAT and let those routers handle the private to public NAT?

- Jouni

0 Helpful
Customers Also Viewed These Support Documents