ASA Dual ISP using IP SLA

  • Post author:
  • Post category:ASA / Cisco

This post describes how to configure a Cisco ASA firewall for redundant/dual ISP connections, using the IP SLA and track features. IP SLA will be configured in conjunction with the track feature to monitor the connection/reachability to the Primary ISP connection. In the event of failure, the primary default route will be removed and will failover to a backup route.

Configuration

Configure the 2 outside interfaces, in this case PRIMARY and SECONDARY will be used to identify the outside interfaces.

interface GigabitEthernet0/0
 nameif PRIMARY
 security-level 0
 ip address 1.1.1.1 255.255.255.0
 !
interface GigabitEthernet0/1
 nameif SECONDARY
 security-level 0
 ip address 2.2.2.1 255.255.255.0

 Create nat rules for traffic routed out of the primary and secondary interfaces.

nat (INSIDE,PRIMARY) after-auto source dynamic any interface
nat (INSIDE,SECONDARY) after-auto source dynamic any interface

Create an SLA monitoring process, which will periodically send ICMP echo requests to the IP address of the next hop (ISP router) and from the primary interface.

sla monitor 1
 type echo protocol ipIcmpEcho 1.1.1.254 interface PRIMARY
 threshold 1
 frequency 5

Schedule the SLA process to start immediately with a lifetime of forever.

sla monitor schedule 1 life forever start-time now

Create a track ID, the “rtr” references the SLA ID. The track ID will be used in conjunction with static default route.

track 100 rtr 1 reachability

Define a default route via the PRIMARY interface, referencing the track object.

route PRIMARY 0.0.0.0 0.0.0.0 1.1.1.254 1 track 100

Create a backup default route via the SECONDARY interface with an administrative distance greater than the tracked default route.

route SECONDARY 0.0.0.0 0.0.0.0 2.2.2.254 100

Verification

From a test computer ping an IP address on the internet, e.g. 8.8.8.8

Confirm traffic is being routed out of the PRIMARY interface

Confirm that traffic is hitting the correct NAT rule

Confirm the status of the IP SLA enter the command show sla monitor operational-state, ensure timeout equals FALSE.

Confirm that reachabilty of the track is Up, use the command show track

Shutdown the interface of the PRIMARY interface

Confirm the status of the reachability of the track is Down

Confirm the default route is now via the SECONDARY interface

Confirm traffic is natted by the correct NAT rule

Re-establishing connectivity via the PRIMARY interface will result in the default route via the PRIMARY interface being installed in the routing table.

 

Tags: , , ,