Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

2 SLA Monitor sessions on ASA 5505

Status
Not open for further replies.
pbxnkey

pbxnkey

Programmer
Aug 15, 2006
191
US
I have a client that will have an ASA 5505 with a DMZ and inside network. It will also have 2 ISP connections.
They would like the DMZ to go out ISP 2 and the Inside to go out ISP 1. They would also like each to failover to the other ISP.

I know there can be multiple SLA Monitor sessions but there can only be 2 default routes. One with track 1 and the other with a higher AD.
How can I route each subnet to go out a specific ISP?
 
Sort by date Sort by votes
I am not 100% on this, it may not even help you, but having tried to do the same thing with ISR firewalls, I had to have 2 devices. One device could only have one default route for traffic. With the use of a routemap you could force some traffic to the other interface but those are not dynamic. What I ended up with was one device with a default gateway/Dynamic Nat on one ISP with routemaps for trafic to Static Nat on the other isp. Each with floating static and tracking routes.

Now you also will need dynamic Dns for any web server in your dmz to complete the failover. Since the routemaps will still take taffic from static nated servers and force them to an isp that may be offline. (It ignors default route) This way once the default route determined by the tracking route falls out then the dynamic dns will update and send web traffic to the other isp. To which your second device will have firewall settings for a second set of external and internal ips. (Your servers will need atleast 3 internal IPs for this. one primary, and two others as secondary, one for each nat) And there you go, jimmy rigged smb level cheap failover.

 
Upvote 0 Downvote
Unfortunately ASA do not have PBR capability and therefore you cannot segregate traffic by source subnet. You can still do route tracking and "poor man's failover" with SLA monitor. Having said that, *if* you can define *incoming* traffic, such as email, web, etc. then I can suggest a way. Just point those DNS records to the necessary outside IP address and make sure you have appropriate NAT and ACL configured. According to the rule the return traffic will follow the path of the existing xlate so the connection will work. In case of an email server this may provide redundant path both in/outbound.
 
Upvote 0 Downvote
Thanks guys but I don't think either suggestion applies to my design. Thanks again.
 
Upvote 0 Downvote
Use ISP2's router to (source) NAT all incoming traffic from the internet.

Everything coming in to the DMZ from the internet will be NATd at ISP2's router and all return traffic will therefore go back to it.
 
Upvote 0 Downvote
Or PBR, but I like Vinnie's suggestion better...

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
322
Sameer258
Sameer258
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
223
AllenH12
AllenH12
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
339
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
225
gkreg
gkreg
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
100
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top