Dual ISP on Single ASA with failover

sanjeevmahadani · ‎10-25-2012

Hello Guys,

I have two ISP which is configured on two different Cisco ASA, seperately, Pls. refer below configurations for both ASA,

My requirement is to put both ISP and configurations on single ASA and second ASA will put for failover Active/Standby,

This we have to do on priority, Pls. suggest....

:

ASA Version 7.0(8)

!

hostname GOIP-FW-SPECTRANET

domain-name goipglobal.local

enable password ezaMyFFEuoF0dAEd encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 180.151.8.26 255.255.255.248

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

description LAN Failover Interface

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone IST 5 30

object-group service TCP-vocable tcp

port-object eq www

port-object range 8000 8099

port-object range 7500 7599

port-object range 12000 12999

port-object range 11000 11999

port-object eq ssh

object-group network vocable

network-object 180.151.8.122 255.255.255.255

network-object 180.151.8.123 255.255.255.255

object-group icmp-type vocable-icmp

icmp-object echo-reply

icmp-object echo

object-group icmp-type 1

icmp-object traceroute

object-group network DM_INLINE_NETWORK_1

network-object 0.0.0.0 0.0.0.0

network-object 192.168.1.0 255.255.255.0

object-group network vocable_real

network-object 192.168.1.122 255.255.255.255

network-object 192.168.1.129 255.255.255.255

object-group network vocable-vpn

network-object 192.168.11.170 255.255.255.255

network-object 192.168.11.160 255.255.255.255

network-object 192.168.11.162 255.255.255.255

access-list outside-in-acl extended permit icmp any any echo-reply

access-list outside-in-acl extended permit icmp any any time-exceeded

access-list outside-in-acl extended permit icmp any any unreachable

access-list outside-in-acl extended permit icmp any host 180.151.8.27

access-list outside-in-acl extended permit ip any host 180.151.8.27

access-list outside-in-acl extended permit icmp any host 180.151.8.28

access-list outside-in-acl extended permit ip any host 180.151.8.28

access-list outside-in-acl extended permit icmp any host 180.151.8.29

access-list outside-in-acl extended permit ip any host 180.151.8.29

access-list outside-in-acl extended permit icmp host 202.53.250.100 any

access-list outside-in-acl extended permit icmp any object-group vocable

access-list outside-in-acl extended permit icmp any object-group vocable traceroute

access-list outside-in-acl extended permit ip any host 180.151.8.30

access-list outside-in-acl extended permit icmp any host 180.151.8.30

access-list outside-in-acl extended permit icmp any host 180.151.8.124

access-list outside-in-acl extended permit ip any host 180.151.8.124

access-list outside-in-acl extended permit ip any host 180.151.8.126

access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq ssh

access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq www

access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq 5800

access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq 5900

access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq 5901

access-list outside-in-acl extended permit ip any host 180.151.8.122

access-list outside-in-acl extended permit ip any host 180.151.8.123

access-list outside-in-acl extended permit ip any host 180.151.8.125

access-list outside-in-acl extended permit tcp any object-group vocable object-group TCP-vocable

access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq 3690

access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq 6200

access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq 9101

access-list outside-in-acl extended permit tcp any host 180.151.8.125 eq 9102

access-list remote-vpn_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 10.10.10.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip host 172.17.2.19 object-group vocable-vpn

access-list inside_nat0_outbound extended permit ip host 172.17.2.109 object-group vocable-vpn

access-list vocable extended permit ip any host 180.151.8.122

access-list vocable extended permit ip any host 180.151.8.123

access-list vocable extended permit ip host 180.151.8.122 any

access-list vocable extended permit ip host 180.151.8.123 any

access-list vocable extended permit ip any host 180.151.8.125

access-list vocable extended permit ip host 180.151.8.125 any

access-list class-default extended permit ip any any

access-list vocable_vpn extended permit ip host 172.17.2.109 object-group vocable-vpn

access-list outside_cryptomap_22 extended permit ip host 172.17.2.19 object-group vocable-vpn

access-list outside_cryptomap_20_1 extended permit ip host 172.17.2.109 object-group vocable-vpn

pager lines 24

logging enable

logging timestamp

logging trap informational

logging device-id hostname

logging host inside 172.16.0.124

mtu outside 1500

mtu inside 1500

ip local pool remote_ip_pool 10.10.10.1-10.10.10.100 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface fail GigabitEthernet0/3

failover interface ip fail 1.1.1.1 255.255.255.0 standby 1.1.1.2

asdm image disk0:/asdm-508.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 180.151.8.126 8080 172.16.0.4 8080 netmask 255.255.255.255

static (inside,outside) tcp 180.151.8.126 8500 172.16.0.124 8500 netmask 255.255.255.255

static (inside,outside) tcp 180.151.8.126 3389 192.168.1.48 3389 netmask 255.255.255.255

static (inside,outside) tcp 180.151.8.126 4200 172.16.0.124 3389 netmask 255.255.255.255

static (inside,outside) tcp 180.151.8.126 8283 172.16.0.16 3389 netmask 255.255.255.255

static (inside,outside) 180.151.8.27 192.168.1.120 netmask 255.255.255.255

static (inside,outside) 180.151.8.29 192.168.1.25 netmask 255.255.255.255

static (inside,outside) 180.151.8.122 192.168.1.122 netmask 255.255.255.255

static (inside,outside) 180.151.8.123 192.168.1.129 netmask 255.255.255.255

static (inside,outside) 180.151.8.125 172.17.2.109 netmask 255.255.255.255

static (inside,outside) 180.151.8.28 192.168.1.244 netmask 255.255.255.255

static (inside,outside) 180.151.8.124 172.16.16.200 netmask 255.255.255.255

access-group outside-in-acl in interface outside

route outside 0.0.0.0 0.0.0.0 180.151.8.25 1

route inside 172.18.0.0 255.255.0.0 192.168.1.1 1

route inside 172.17.0.0 255.255.0.0 192.168.1.1 1

route inside 172.16.0.0 255.255.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy remote-vpn internal

group-policy remote-vpn attributes

vpn-tunnel-protocol IPSec webvpn

split-tunnel-policy tunnelall

split-tunnel-network-list value remote-vpn_splitTunnelAcl

webvpn

group-policy goip internal

group-policy goip attributes

vpn-tunnel-protocol IPSec

webvpn

username sandeep password 3RPLe5XLRun5d2eR encrypted

username goip password HgC84z9ard1.bOgr encrypted

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

http 192.168.1.123 255.255.255.255 inside

snmp-server host inside 172.17.2.107 community goip$123

snmp-server host inside 172.16.0.124 poll community goip-pix

snmp-server host inside 172.16.0.27 community goip-pix

no snmp-server location

no snmp-server contact

snmp-server community goip-pix

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set goip esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set goip

crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800

crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set reverse-route

crypto map outside_map 20 match address outside_cryptomap_20_1

crypto map outside_map 20 set peer 202.134.12.24

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 28800

crypto map outside_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map0 2 set security-association lifetime seconds 28800

crypto map outside_map0 2 set security-association lifetime kilobytes 4608000

crypto map outside_map0 22 set security-association lifetime seconds 28800

crypto map outside_map0 22 set security-association lifetime kilobytes 4608000

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 43200

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 1

isakmp policy 30 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption 3des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

tunnel-group TunnelGroup1 type ipsec-ra

tunnel-group TunnelGroup1 general-attributes

default-group-policy remote-vpn

tunnel-group TunnelGroup1 ipsec-attributes

pre-shared-key *

tunnel-group 202.134.12.24 type ipsec-l2l

tunnel-group 202.134.12.24 ipsec-attributes

pre-shared-key *

tunnel-group goipgroup type ipsec-ra

tunnel-group goipgroup general-attributes

address-pool remote_ip_pool

tunnel-group goipgroup ipsec-attributes

pre-shared-key *

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

ssh version 1

console timeout 0

!

class-map class_sip_tcp

match port tcp eq sip

class-map inspection_default

match default-inspection-traffic

class-map vocable

match access-list vocable

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class class_sip_tcp

inspect sip

policy-map vocable

class vocable

police 4000000 2000

class class-default

police 2000000 2000

!

service-policy global_policy global

service-policy vocable interface outside

ntp server 195.43.74.123 source outside prefer

Cryptochecksum:8d76dde60ef1c320f9d4895d639c6d5e

: end

GOIP-FW-SPECTRANET#

GOIP-FW-SPECTRANET-2# sh run

: Saved

:

ASA Version 7.0(8)

!

hostname GOIP-FW-SPECTRANET-2

enable password ezaMyFFEuoF0dAEd encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 103.6.119.2 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.17.3.5 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object-group network vocable-vpn

network-object 192.168.11.170 255.255.255.255

network-object 192.168.11.160 255.255.255.255

network-object 192.168.11.162 255.255.255.255

network-object 10.16.26.73 255.255.255.255

network-object 10.16.22.99 255.255.255.255

network-object 202.134.12.6 255.255.255.255

access-list internet extended permit ip any any

access-list out-in extended permit ip any host 103.6.119.13

access-list out-in extended permit ip any host 103.6.119.14

access-list out-in extended permit ip any host 103.6.119.15

access-list out-in extended permit ip any host 103.6.119.16

access-list out-in extended permit ip any host 103.6.119.17

access-list out-in extended permit ip any host 103.6.119.18

access-list out-in extended permit ip any host 103.6.119.19

access-list out-in extended permit ip any host 103.6.119.20

access-list out-in extended permit ip any host 103.6.119.21

access-list out-in extended permit ip any host 103.6.119.22

access-list out-in extended permit ip any host 103.6.119.23

access-list out-in extended permit ip any host 103.6.119.24

access-list out-in extended permit ip any host 103.6.119.11

access-list out-in extended permit ip any host 103.6.119.12

access-list out-in extended permit ip any host 103.6.119.25

access-list out-in extended permit ip any host 103.6.119.26

access-list out-in extended permit ip any host 103.6.119.27

access-list out-in extended permit ip any host 103.6.119.28

access-list out-in extended permit ip any host 103.6.119.29

access-list inside_nat0_outbound extended permit ip host 172.17.2.109 object-group vocable-vpn

access-list outside_cryptomap_20_1 extended permit ip host 172.17.2.109 object-group vocable-vpn

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 access-list internet

static (inside,outside) 103.6.119.13 172.17.2.109 netmask 255.255.255.255

static (inside,outside) 103.6.119.14 172.17.2.108 netmask 255.255.255.255

static (inside,outside) 103.6.119.15 172.17.2.103 netmask 255.255.255.255

static (inside,outside) 103.6.119.16 172.17.2.115 netmask 255.255.255.255

static (inside,outside) 103.6.119.17 172.17.2.110 netmask 255.255.255.255

static (inside,outside) 103.6.119.18 172.17.2.111 netmask 255.255.255.255

static (inside,outside) 103.6.119.19 172.17.2.113 netmask 255.255.255.255

static (inside,outside) 103.6.119.20 172.17.2.107 netmask 255.255.255.255

static (inside,outside) 103.6.119.21 172.17.2.112 netmask 255.255.255.255

static (inside,outside) 103.6.119.22 172.17.2.19 netmask 255.255.255.255

static (inside,outside) 103.6.119.23 172.17.2.106 netmask 255.255.255.255

static (inside,outside) 103.6.119.24 172.17.2.114 netmask 255.255.255.255

static (inside,outside) 103.6.119.11 172.17.2.117 netmask 255.255.255.255

static (inside,outside) 103.6.119.12 172.17.2.118 netmask 255.255.255.255

static (inside,outside) 103.6.119.25 172.17.2.120 netmask 255.255.255.255

static (inside,outside) 103.6.119.26 172.17.2.123 netmask 255.255.255.255

static (inside,outside) 103.6.119.27 172.17.2.15 netmask 255.255.255.255

static (inside,outside) 103.6.119.28 172.17.2.130 netmask 255.255.255.255

static (inside,outside) 103.6.119.29 172.17.2.116 netmask 255.255.255.255

access-group out-in in interface outside

route outside 0.0.0.0 0.0.0.0 103.6.119.1 1

route inside 172.17.0.0 255.255.0.0 172.17.3.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username sanjeev password inD903e/KN5gofHS encrypted privilege 7

username praful password TEzhJ7QU1N69uu44 encrypted privilege 15

username sandeep password 3RPLe5XLRun5d2eR encrypted

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address outside_cryptomap_20_1

crypto map outside_map 20 set peer 202.134.12.24

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 28800

crypto map outside_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 1

isakmp policy 30 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption 3des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

tunnel-group 202.134.12.24 type ipsec-l2l

tunnel-group 202.134.12.24 ipsec-attributes

pre-shared-key *

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

ssh version 1

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

Cryptochecksum:a8238e3b6b190d90bfb0d25ea1e09f50

: end

GOIP-FW-SPECTRANET-2#

Javier Portuguez · ‎10-25-2012

Hi Sanjeev,

Please check this out and adjust your settings:

ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example

Let me know if you have any questions.

HTH.

Portu.

Please rate any helpful posts

sanjeevmahadani · ‎10-25-2012

Hi Portu,

Thanks for this documents,

My query is i have two WAN ip for outside and two LAN subnet for inside, and few existing IPSec tunnels also required to shift, So my confusion is about LAN subnets. How to manage two LAN subnets ?

Sanjeev

shine pothen · ‎10-26-2012

First check how many physical ports you have in your firewall

then assgin botht he ISP to each interface

and for the lan side also give two interface.... and use the command "same-security-traffic permit intra-interface"

which will allow both the lan network to work for you.

you can do this configuration for the lan side through ASDM which will be easier.

Javier Portuguez · ‎10-26-2012

Sanjeev,

As mentioned by Shine, all you need is:

1- Create two interfaces for each subnet:

INSIDE1

Subnet 1 --------------------------------->

ASA Failover pair

Subnet 2 --------------------------------->

INSIDE2

* To route between the two networks you can use the "same-security-traffic permit inter-interface" as long as they share the same security level.

2- Move the two networks to a SW / Router and have a single interface on the ASA:

INSIDE1

Subnet 1 ------------------------------->

SW / Router --> ASA Failover pair

Subnet 2 ------------------------------->

INSIDE2

* Internal routing is not handled by the ASA, the L3 device would take care of it.

On the other hand, for the two ISPs and the IPsec deployment I already provided the example in the first post.

Let me know if you have any further questions.

Portu.

Please rate any helpful posts.

Message was edited by: Javier Portuguez