Configure Redundant or Backup ISP Link on Cisco ASA – CLI

edledge Cisco logo

Scenario:
Make: Cisco
Model
: ASA 5506-X, ASA 5506 W-X, ASA 5508-X, Cisco ASA 5500 Series
Mode: CLI [Command Line Interface]
Version: ASA version 9.x or later, ASDM version 7.x or later
Description: In this article, we will discuss the stepwise method of how to configure Redundant or Backup ISP link on Cisco ASA Firewalls. Here Cisco ASA will use a static route tracking feature to enable the device to use redundant or backup Internet connections. Redundant or Backup ISP can be configured using GUI method as well.

Introduction

It is always recommended to have redundant internet services to counter the situations in case an ISP goes down. Here we will discuss how to configure an ASA for two ISP to work as an automatic failover in case the primary goes down. The configuration that is described in this article cannot be used for load balancing or load sharing, as it is not supported on the ASA. We will use SSH or CLI and ASDM methods on ASA.

Step1: Login
SSH onto the ASA using username and password.

SSH 192.168

Step2: WAN Interfaces

Configure both WAN links on two different interfaces of the ASA. You could name those two interfaces as “outside” and “backup“.

edledge-asa#
edledge-asa# conf t
edledge-asa(config-if)# interface GigabitEthernet0/1
edledge-asa(config-if)# nameif outside
edledge-asa(config-if)# security-level 0
edledge-asa(config-if)# ip address 11.22.33.44 255.255.255.0
edledge-asa(config-if)# exit
edledge-asa#

edledge-asa#
edledge-asa# conf t
edledge-asa(config-if)# interface GigabitEthernet0/2
edledge-asa(config-if)# nameif backup
edledge-asa(config-if)# security-level 0
edledge-asa(config-if)# ip address 11.22.11.44 255.255.255.0
edledge-asa(config-if)# exit
edledge-asa#

Step3: Add Route with Tracking
Add route for both “outside” (Primary Link) and “backup” (Secondary Link)

edledge-asa#
edledge-asa# conf t
edledge-asa(config-if)# route outside 0.0.0.0 0.0.0.0 11.22.33.1 1 track 1

edledge-asa#
edledge-asa# conf t
edledge-asa(config-if)# route outside 0.0.0.0 0.0.0.0 11.22.11.1 254

Step4Monitoring Option
Configure a new monitoring process with ID 123. Add the monitoring protocol and the target network object whose availability the tracking process monitors. Specify the number of packets to be sent with each poll. Specify the rate at which the monitor process repeats (in seconds).

edledge-asa#
edledge-asa# conf t
edledge-asa(config-if)# sla monitor 123
edledge-asa(config-sla-monitor)# type echo protocol ipIcmpEcho 8.8.8.8 interface outside
edledge-asa(config-sla-monitor)# num-packets 3
edledge-asa(config-sla-monitor)# frequency 10


edledge-asa#
edledge-asa# conf t
edledge-asa(config-if)# sla monitor schedule 123 life forever start-time now

edledge-asa#
edledge-asa# conf t
edledge-asa(config-if)# track 1 rtr 123 reachability
edledge-asa(config-if)# exit
edledge-asa(config)# exit
edledge-asa#

Step5Verify Configuration
Verify the configuration and ensure routing is added.

edledge-asa# show running-config sla monitor
sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now

edledge-asa# show sla monitor configuration 123
IP SLA Monitor, Infrastructure Engine-II.
Entry number: 123
Owner:
Tag:
Type of operation to perform: echo
Target address: 8.8.8.8
Interface: outside
Number of packets: 3
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 10
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

Step6Confirm Routing
To check and confirm via which internet provider the routing is going out follow the step mentioned below.

edledge-asa# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 11.22.33.1 to network 0.0.0.0

C    203.0.113.0 255.255.255.0 is directly connected, outside
C    192.168.10.0 255.255.255.0 is directly connected, inside
C    198.51.100.0 255.255.255.0 is directly connected, backup
S*   0.0.0.0 0.0.0.0 [1/0] via 11.22.33.1, outside

After the primary ISP fails, the route is removed and the backup route is installed. The DEFAULT route now points to 11.22.11.1 through the backup interface:

edledge-asa# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 11.22.33.1 to network 0.0.0.0

C    203.0.113.0 255.255.255.0 is directly connected, outside
C    192.168.10.0 255.255.255.0 is directly connected, inside
C    198.51.100.0 255.255.255.0 is directly connected, backup
S*   0.0.0.0 0.0.0.0 [254/0] via 11.22.33.1, backup

As shown above, as soon the primary internet goes down the secondary internet took the traffic. This will help to minimize the downtime in the network.

Other important topics

SourceKnowledge Base, Internet, Cisco

EA00127

Leave a Reply

Your email address will not be published. Required fields are marked *