Scenario:
Make: Cisco
Model: ASA 5506-X, ASA 5506 W-X, ASA 5508-X, Cisco ASA 5500 Series
Mode: CLI [Command Line Interface]
Version: ASA version 9.x or later, ASDM version 7.x or later
Description: In this article, we will discuss the stepwise method of how to configure Redundant or Backup ISP link on Cisco ASA Firewalls. Here Cisco ASA will use a static route tracking feature to enable the device to use redundant or backup Internet connections. Redundant or Backup ISP can be configured using GUI method as well.
Introduction
It is always recommended to have redundant internet services to counter the situations in case an ISP goes down. Here we will discuss how to configure an ASA for two ISP to work as an automatic failover in case the primary goes down. The configuration that is described in this article cannot be used for load balancing or load sharing, as it is not supported on the ASA. We will use SSH or CLI and ASDM methods on ASA.
Step1: Login
SSH onto the ASA using username and password.
Step2: WAN Interfaces
Configure both WAN links on two different interfaces of the ASA. You could name those two interfaces as “outside” and “backup“.
edledge-asa#
edledge-asa# conf t
edledge-asa(config-if)# interface GigabitEthernet0/1
edledge-asa(config-if)# nameif outside
edledge-asa(config-if)# security-level 0
edledge-asa(config-if)# ip address 11.22.33.44 255.255.255.0
edledge-asa(config-if)# exit
edledge-asa#
edledge-asa#
edledge-asa# conf t
edledge-asa(config-if)# interface GigabitEthernet0/2
edledge-asa(config-if)# nameif backup
edledge-asa(config-if)# security-level 0
edledge-asa(config-if)# ip address 11.22.11.44 255.255.255.0
edledge-asa(config-if)# exit
edledge-asa#
Step3: Add Route with Tracking
Add route for both “outside” (Primary Link) and “backup” (Secondary Link)
edledge-asa#
edledge-asa# conf t
edledge-asa(config-if)# route outside 0.0.0.0 0.0.0.0 11.22.33.1 1 track 1
edledge-asa#
edledge-asa# conf t
edledge-asa(config-if)# route outside 0.0.0.0 0.0.0.0 11.22.11.1 254
Step4: Monitoring Option
Configure a new monitoring process with ID 123. Add the monitoring protocol and the target network object whose availability the tracking process monitors. Specify the number of packets to be sent with each poll. Specify the rate at which the monitor process repeats (in seconds).
edledge-asa#
edledge-asa# conf t
edledge-asa(config-if)# sla monitor 123
edledge-asa(config-sla-monitor)# type echo protocol ipIcmpEcho 8.8.8.8 interface outside
edledge-asa(config-sla-monitor)# num-packets 3
edledge-asa(config-sla-monitor)# frequency 10
edledge-asa#
edledge-asa# conf t
edledge-asa(config-if)# sla monitor schedule 123 life forever start-time now
edledge-asa#
edledge-asa# conf t
edledge-asa(config-if)# track 1 rtr 123 reachability
edledge-asa(config-if)# exit
edledge-asa(config)# exit
edledge-asa#
Step5: Verify Configuration
Verify the configuration and ensure routing is added.
edledge-asa# show running-config sla monitor
sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
edledge-asa# show sla monitor configuration 123
IP SLA Monitor, Infrastructure Engine-II.
Entry number: 123
Owner:
Tag:
Type of operation to perform: echo
Target address: 8.8.8.8
Interface: outside
Number of packets: 3
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 10
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
Step6: Confirm Routing
To check and confirm via which internet provider the routing is going out follow the step mentioned below.
edledge-asa# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 11.22.33.1 to network 0.0.0.0
C 203.0.113.0 255.255.255.0 is directly connected, outside
C 192.168.10.0 255.255.255.0 is directly connected, inside
C 198.51.100.0 255.255.255.0 is directly connected, backup
S* 0.0.0.0 0.0.0.0 [1/0] via 11.22.33.1, outside
After the primary ISP fails, the route is removed and the backup route is installed. The DEFAULT route now points to 11.22.11.1 through the backup interface:
edledge-asa# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 11.22.33.1 to network 0.0.0.0
C 203.0.113.0 255.255.255.0 is directly connected, outside
C 192.168.10.0 255.255.255.0 is directly connected, inside
C 198.51.100.0 255.255.255.0 is directly connected, backup
S* 0.0.0.0 0.0.0.0 [254/0] via 11.22.33.1, backup
As shown above, as soon the primary internet goes down the secondary internet took the traffic. This will help to minimize the downtime in the network.
Other important topics
- Reimage or Update Cisco ASA SFR Module
- Cisco ASA IOS Upgrade/Downgrade CLI
- Cisco ASA Unsupported SFR Module
- SSH Connection Error To Cisco ASA Firewall
- TFTP Timeout Error In Rommon Mode In Cisco Devices
Source: Knowledge Base, Internet, Cisco
EA00127