One of the best things a business can do is have redundant ISP (Internet Service Providers) connections. This ensures optimal uptime for their business. Even with the introduction of the Cisco FirePower Threat Defense firewall, The Cisco ASA and FTD with ASA firmware are still very popular IP firewalls.
This post describes how to configure a Cisco ASA firewall for redundant/dual ISP connections, using the IP SLA and track features. IP SLA will be configured in conjunction with the track feature to monitor the connection/reachability to the Primary ISP connection. In the event of failure, the primary default route will be removed and will failover to a backup route.
Configure the two outside interfaces, in this case PRIMARY and SECONDARY will be used to identify the outside interfaces.
ip address 22.214.171.124 255.255.255.0
ip address 126.96.36.199 255.255.255.0
Create NAT rules for traffic routed out of the primary and secondary interfaces. We need to do this for global NAT and static NAT rules. We like to create new objects for internal and external addresses. Don’t forget NAT rules for site to site VPN’s and Remote access VPN’s.
nat (INSIDE,PRIMARY) after-auto source dynamic any interface
nat (INSIDE,SECONDARY) after-auto source dynamic any interface
object network server_inside_pimary
nat (INSIDE,PRIMARY) static server_outside_primary
object network server_inside_secondary
nat (INSIDE,SECONDARY) static server_outside_secondary
Nat (INSIDE,PRIMARY) static VPNSUBNET VPNSUBNET
Next, we’re going to create the SLA. This monitors the primary internet connections by sending pings out to a specific target.
sla monitor 1
Now we schedule the SLA process to start immediately with a lifetime of forever.
sla monitor schedule 1 life forever start-time now
Then, create a track ID. The “rtr” references the SLA ID. The track ID will be used in conjunction with static default route.
track 100 rtr 1 reachability
Next, define a default route via the PRIMARY interface, referencing the track object.
|route PRIMARY 0.0.0.0 0.0.0.0 188.8.131.52 1 track 100
Lastly, create a backup default route via the SECONDARY interface with an administrative distance greater than the tracked default route.
|route SECONDARY 0.0.0.0 0.0.0.0 184.108.40.206 100
From a test computer ping an IP address on the internet, e.g. 220.127.116.11. Confirm traffic is being routed out of the PRIMARY interface.
Confirm that traffic is hitting the correct NAT rule.
Confirm the status of the IP SLA enter the command show sla monitor operational-state, ensure timeout equals FALSE.
Confirm that reachabilty of the track is Up, use the command show track
Shutdown the interface of the PRIMARY interface and confirm the status of the reachability of the track is Down.
Confirm the default route is now via the SECONDARY interface.
Confirm traffic is natted by the correct NAT rule.
Re-establishing connectivity via the PRIMARY interface will result in the default route via the PRIMARY interface being installed in the routing table.