Redundant Internet Connections on PIX/ASA 7.2

From Internetworkpro

Jump to: navigation, search
This page or section provides device configuration instructions
Please note that the information on this page has not been checked for accuracy and is not intended as a replacement to documentation. Please ensure you understand your desired objectives before attempting to apply any examples listed.
See more examples at Category:Configuration

[edit] Overview

One of the problems with using static routes for redundant internet connections is that there is no mechanism to determine of the next hop is reachable. A static route only gets dropped from the routing table if the associated interface switches to a down state. Therefore, if you set up redundant Internet connections on the ASA and the primary connection fails but the interface remains in an up state, the route remains active and the site is effectively down. The solution is to use the static route tracking feature to monitor the default route, and remove this route from the routing table should the specified monitor host become unreachable.

The first example is of a Pix or ASA5510 and above.

A popular question on #Cisco is "Can I configure this with the base license on an ASA5505?" The answer is yes, you are able to utilize this feature using the base license. The base license simply states that the "DMZ" interface can't foward traffic to 1 of the other 2 interfaces, it does not specify which one. We can utilize the redundant Internet connections by using the "no foward interface" command towards the other WAN interface. Obviously now you cannot have a DMZ.

The second example illustrates this concept.

[edit] Example Config:


'''PIX and ASA5510+ config'''

interface Ethernet0/0
 description Internet Connection 1
 nameif outside
 security-level 0
 ip address 100.100.100.2 255.255.255.252 
!
interface Ethernet0/1
 description Internet Connection 2
 nameif outside2
 security-level 0
 ip address 200.200.200.2 255.255.255.252 
!
interface Ethernet0/2
 description Inside LAN
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!

global (outside) 1 interface
global (outside2) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 100.100.100.1 track 1
route outside2 0.0.0.0 0.0.0.0 200.200.200.1 2
!
sla monitor 1
 type echo protocol ipIcmpEcho 4.2.2.1 interface Outside
 num-packets 2
 frequency 10
sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability


'''ASA5505 with Base License config'''

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 100.100.100.2 255.255.255.252
!
interface Vlan3
 no forward interface Vlan2
 nameif outside2
 security-level 0
 ip address 200.200.200.2 255.255.255.252
!
interface Ethernet0/0
 description Primary Internet Connection
 switchport access vlan 2
!
interface Ethernet0/1
 description Backup Internet Connection
 switchport access vlan 3

global (outside) 1 interface
global (outside2) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 100.100.100.1 track 1
route outside2 0.0.0.0 0.0.0.0 200.200.200.1 2

sla monitor 1
 type echo protocol ipIcmpEcho 4.2.2.1 interface outside
 num-packets 2
 frequency 10
sla monitor schedule 1 life forever start-time now

track 1 rtr 1 reachability

For more information, please see this Cisco.com configuration example.

--Tabularasa 00:04, 8 September 2009 (UTC) Back to Sample Configs

Retrieved from "http://inetpro.org/wiki/Redundant_Internet_Connections_on_PIX/ASA_7.2"
Personal tools