Both will never work at the same time.Today we're going to look at LAN-to-LAN VPNs using the pair of ASA 5505s in the community lab. Keep in mind though that the backup VPN will only work when the backup ISP circuit is live and the primary VPN will only work when the primary ISP circuit is live. Then I just added the backup ISP interface to the crypto map for their client VPN and turned on ISAKMP on the backup ISP interface. This particular client had me make a primary and a backup PCF file for their Cisco VPN clients so that they could access the VPN when they were in a failover state. Keep in mind that all of your static NATs, external DNS entries, VPNs, etc won’t work when your primary ISP fails (assuming that’s the IP they are all assigned on). So it’s a pretty cool setup if you are ONLY looking for outbound internet failover. So what happens is when the SLA monitor fails, the tracked route gets removed from the routing table, and the route with the higher administrative distance comes in and takes its place since its the best available route.
“Keep an eye on SLA monitor 10 and when it fails any routes associated with me also fail”. The above statement reads like this in plain English.
We also install a second route for the backup ISP which HAS to have a higher administrative distance than the primary ISP’s default route. This means that this route being in the routing table is dependant on tracked item 1 (If you don’t know what that means hold on, we’ll get there soon enough). However, we also add the ‘track 1’ statement at the end. Notice that we define out normal default route with an administrative distance of 1. Notes: Here we define the default network routes out to the internet. Line 6 – Instructs the ASA to start SLA monitor 10 now and let it run for forever.ĪSA(config)#route outside 0.0.0.0 0.0.0.0 1 track 1ĪSA(config)#route backupisp 0.0.0.0 0.0.0.0 254 Line 5 – Configures the frequency of the probe in seconds. Line 4 – Configures the timeout period in milliseconds. Line 3 – Sets the number of packets to be sent in each probe. In this case, it would be the outside interface. You also need to tell it which interface to source the ICMP traffic from. In this case I chose 4.2.2.2 since I have been able to ping that magical IP address since the beginning of time. Line 2 – Configures the monitoring protocol and the target of the monitoring probe. Line 1 – Configures a SLA monitor with the ID of 10 Notes: Ok, so here is the actual ‘failover’ piece of all of this. Notes: Some people use a specific network here, I always just use 0 0 if its a small setupĪSA(config-sla-monitor)# type echo protocol ipIcmpEcho 4.2.2.2 interface outsideĪSA(config-sla-monitor-echo)# num-packets 3ĪSA(config-sla-monitor-echo)# timeout 1000ĪSA(config-sla-monitor-echo)# frequency 3ĪSA(config)# sla monitor schedule 10 life forever start-time now I totally forgot about that during the install and couldn’t figure out why I wasn’t passing traffic.ĪSA(config)# nat (inside) 1 0.0.0.0 0.0.0.0 Notes: You need to define both the primary and backup address as global pools to match up against the NAT pool. Notes: VLAN 1 is the default so I’m not assigning it, just use one of the other ports for it.
Text in blue are variable names I made up, feel free to change themĪSA(config-if)#description Inside Interface Insert your relevant information between
I’m going to only touch the major parts of this so please don’t consider this a full build. Let’s walk through the configuration on a 5505.
The rest of the configuration is really just a SLA monitor, tracked default routes, and a extra global NAT pool. In fact, the only reason you really need Sec+ to accomplish this is so that you have can have an additional ‘full’ interface. To me, that always meant that it was its own feature and had its own configuration commands.
I recall that when I started working on ASA’s I would always read that ‘dual ISP’ support was a feature of the Security Plus (Sec+) licensing set. I had the opportunity to configure ISP failover on an ASA the other day and I thought I’d share the configuration as well as a couple of tips on using it.