ISP Failover by Cisco ASA: Cisco ASA can do fail-over between ISPs(Dual ISP configuration), it is failover not loadbalancing. Below are the pieces of configuration that make failover working.
1. interface configuration: Configure the interface for both the ISP with security level zero.
Example:
interface GigabitEthernet0/1
speed 100
duplex full
nameif outside
security-level 0
ip address xxxxx
speed 100
duplex full
nameif outside
security-level 0
ip address xxxxx
2. Configure SLA Monitor: This is required to check the availability of remote host based on configured protocol, we are using icmp for the same.
Example:
(config)# sla monitor 10
(config-sla-monitor)# type echo protocol ipIcmpEcho "Remote host IP" interface outside
(config-sla-monitor-echo)# num-packets 3
(config-sla-monitor-echo)# frequency 10
ASA(config-sla-monitor-echo)# timeout 1000
ASA(config)# sla monitor schedule 10 life forever start-time now
(config-sla-monitor)# type echo protocol ipIcmpEcho "Remote host IP" interface outside
(config-sla-monitor-echo)# num-packets 3
(config-sla-monitor-echo)# frequency 10
ASA(config-sla-monitor-echo)# timeout 1000
ASA(config)# sla monitor schedule 10 life forever start-time now
3. Configure Tracking object: It is required to track the availability reported by SLA monitor.
Example:
(config)# track 5 rtr 10 reachability
4. Configure the route for both the ISPs.
example:
route outside 0.0.0.0 0.0.0.0 "ISP1_GW" 1 track 5
route backup_link 0.0.0.0 0.0.0.0 "ISP2_GW" 50
route backup_link 0.0.0.0 0.0.0.0 "ISP2_GW" 50
5. Now most important and confusing if using ASA 9.1 IOS: The nat statement has been change starting from 8.3, in older version we can configure "Global statement" to tell the ASA to nat with interface, and we can configure more than one Global statments but in new code(9.1) if we change nat statement under the "network object" it looses primary statements and put only single interface, I mean to say can not nat with more than one interface.
So I apply trick:
I made two dynamic nat statement above the existing dynamic nat statment, and configured them to outside and backup interface respectivly(ouside above than backup nat) and that trick work well for me. It is better to use ASDM to configure these nat rules, because ASDM make easy to place the rules at desired place.
Example:
.png)
.png)
Command Line:
object network Dynamic_failover_nat
nat (inside,outside) dynamic interface
nat (inside,outside) dynamic interface
object network Dynamic_failover_nat1
nat (inside,backup_link) dynamic interface
object network Dynamic_failover_nat
subnet 0.0.0.0 0.0.0.0
subnet 0.0.0.0 0.0.0.0
object network Dynamic_failover_nat1
subnet 0.0.0.0 0.0.0.0
subnet 0.0.0.0 0.0.0.0
Verify functionality:
ciscoasa# show sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 10
Owner:
Tag:
Type of operation to perform: echo
Target address: 109.176.83.53
Interface: outside
Number of packets: 3
Request size (ARR data portion): 28
Operation timeout (milliseconds): 1000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 10
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
SA Agent, Infrastructure Engine-II
Entry number: 10
Owner:
Tag:
Type of operation to perform: echo
Target address: 109.176.83.53
Interface: outside
Number of packets: 3
Request size (ARR data portion): 28
Operation timeout (milliseconds): 1000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 10
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
iscoasa# show sla monitor operational-state
Entry number: 10
Modification time: 08:11:23.628 IST Mon Dec 29 2014
Number of Octets Used by this Entry: 2056
Number of operations attempted: 11
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 153
Latest operation start time: 08:13:03.629 IST Mon Dec 29 2014
Latest operation return code: OK
RTT Values:
RTTAvg: 153 RTTMin: 150 RTTMax: 160
NumOfRTT: 3 RTTSum: 460 RTTSum2: 70600
Entry number: 10
Modification time: 08:11:23.628 IST Mon Dec 29 2014
Number of Octets Used by this Entry: 2056
Number of operations attempted: 11
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 153
Latest operation start time: 08:13:03.629 IST Mon Dec 29 2014
Latest operation return code: OK
RTT Values:
RTTAvg: 153 RTTMin: 150 RTTMax: 160
NumOfRTT: 3 RTTSum: 460 RTTSum2: 70600
ciscoasa5515India# show track 5 ?
| Output modifiers
<cr>
ciscoasa# show track 5
Track 5
Response Time Reporter 10 reachability
Reachability is Up
1 change, last change 00:00:48
Latest operation return code: OK
Latest RTT (millisecs) 150
Tracked by:
STATIC-IP-ROUTING 0
| Output modifiers
<cr>
ciscoasa# show track 5
Track 5
Response Time Reporter 10 reachability
Reachability is Up
1 change, last change 00:00:48
Latest operation return code: OK
Latest RTT (millisecs) 150
Tracked by:
STATIC-IP-ROUTING 0
ciscoasa# traceroute google.com
Type escape sequence to abort.
Tracing the route to 74.125.236.66
1 *
xxxx.static-delhi.vsnl.net.in (xxxx) 0 msec 60 msec
2 172.29.251.34 40 msec 40 msec 40 msec
3 * * *
4 115.114.142.137.static-chennai.vsnl.net.in (115.114.142.137) 40 msec 40 msec 50 msec
5 121.240.1.50 50 msec 50 msec 50 msec
6 72.14.232.110 40 msec 40 msec 40 msec
7 209.85.249.235 40 msec 40 msec 40 msec
8 maa03s05-in-f2.1e100.net (74.125.236.66) 40 msec 50 msec 40 msec
ciscoasa5515India#
ciscoasa5515India#
ciscoasa# traceroute google.com
Type escape sequence to abort.
Tracing the route to 74.125.236.201
1 nsg-static-xxxx -airtel.com (xxxx) 0 msec 0 msec 0 msec
2 xxxx 0 msec 0 msec 0 msec
3 182.79.239.201 40 msec 60 msec 40 msec
4 72.14.242.178 40 msec 40 msec 40 msec
5 72.14.232.110 40 msec 40 msec 40 msec
6 209.85.240.147 40 msec 40 msec 40 msec
7 google.com (74.125.236.201) 40 msec 40 msec 40 msec
Type escape sequence to abort.
Tracing the route to 74.125.236.66
1 *
xxxx.static-delhi.vsnl.net.in (xxxx) 0 msec 60 msec
2 172.29.251.34 40 msec 40 msec 40 msec
3 * * *
4 115.114.142.137.static-chennai.vsnl.net.in (115.114.142.137) 40 msec 40 msec 50 msec
5 121.240.1.50 50 msec 50 msec 50 msec
6 72.14.232.110 40 msec 40 msec 40 msec
7 209.85.249.235 40 msec 40 msec 40 msec
8 maa03s05-in-f2.1e100.net (74.125.236.66) 40 msec 50 msec 40 msec
ciscoasa5515India#
ciscoasa5515India#
ciscoasa# traceroute google.com
Type escape sequence to abort.
Tracing the route to 74.125.236.201
1 nsg-static-xxxx -airtel.com (xxxx) 0 msec 0 msec 0 msec
2 xxxx 0 msec 0 msec 0 msec
3 182.79.239.201 40 msec 60 msec 40 msec
4 72.14.242.178 40 msec 40 msec 40 msec
5 72.14.232.110 40 msec 40 msec 40 msec
6 209.85.240.147 40 msec 40 msec 40 msec
7 google.com (74.125.236.201) 40 msec 40 msec 40 msec
ciscoasa# ping backup_link google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.236.201, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/42/50 ms
ciscoasa# ping outside google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.236.201, timeout is 2 seconds:
Error: outside interface is shutdown
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.236.201, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/42/50 ms
ciscoasa# ping outside google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.236.201, timeout is 2 seconds:
Error: outside interface is shutdown
