I had the opportunity to configure ISP failover on an ASA the other day and I thought I’d share the configuration as well as a couple of tips on using it. I recall that when I started working on ASA’s I would always read that ‘dual ISP’ support was a feature of the Security Plus (Sec+) licensing set. To me, that always meant that it was its own feature and had its own configuration commands. As it turns out, that’s not the case. In fact, the only reason you really need Sec+ to accomplish this is so that you have can have an additional ‘full’ interface. The rest of the configuration is really just a SLA monitor, tracked default routes, and a extra global NAT pool. Let’s walk through the configuration on a 5505. I’m going to only touch the major parts of this so please don’t consider this a full build.
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them
Configure your interfaces
ASA(config)# interface Vlan1
ASA(config-if)#description Inside Interface
ASA(config-if)# nameif inside
ASA(config-if)# ip address <Inside IP> <Inside Mask>
ASA(config)# interface Vlan2
ASA(config-if)# description Primary ISP
ASA(config-if)# nameif outside
ASA(config-if)# ip address <ISP 1 IP> <ISP 1 Mask>
Backup ISP Interface
ASA(config)# interface Vlan3
ASA(config-if)# description Backup ISP
ASA(config-if)# nameif backupisp
ASA(config-if)# security-level 0
ASA(config-if)# ip address <ISP 2 IP> <ISP 2 Mask>
Assign them to switchports
ASA(config)# interface Ethernet0/0
ASA(config-if)# switchport access vlan 2
ASA(config)# interface Ethernet0/1
ASA(config-if)# switchport access vlan 3
Notes: VLAN 1 is the default so I’m not assigning it, just use one of the other ports for it.
Define your Global pools
ASA(config)# global (outside) 1 <An IP in your Primary ISPs pool that you want to use for NAT/PAT>
ASA(config)# global (backupisp) 1 <An IP in your Backup ISPs pool that you want to use for NAT/PAT>
Notes: You need to define both the primary and backup address as global pools to match up against the NAT pool. I totally forgot about that during the install and couldn’t figure out why I wasn’t passing traffic.
Define your inside NAT
ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0
Notes: Some people use a specific network here, I always just use 0 0 if its a small setup
Configure the SLA Monitor
ASA(config)# sla monitor 10
ASA(config-sla-monitor)# type echo protocol ipIcmpEcho 22.214.171.124 interface outside
ASA(config-sla-monitor-echo)# num-packets 3
ASA(config-sla-monitor-echo)# timeout 1000
ASA(config-sla-monitor-echo)# frequency 3
ASA(config)# sla monitor schedule 10 life forever start-time now
Notes: Ok, so here is the actual ‘failover’ piece of all of this. So I’ll break it down piece by piece.
Line 1 – Configures a SLA monitor with the ID of 10
Line 2 – Configures the monitoring protocol and the target of the monitoring probe. In this case I chose 126.96.36.199 since I have been able to ping that magical IP address since the beginning of time. You also need to tell it which interface to source the ICMP traffic from. In this case, it would be the outside interface.
Line 3 – Sets the number of packets to be sent in each probe.
Line 4 – Configures the timeout period in milliseconds.
Line 5 – Configures the frequency of the probe in seconds.
Line 6 – Instructs the ASA to start SLA monitor 10 now and let it run for forever.
Configure the Route tracking
ASA(config)#route outside 0.0.0.0 0.0.0.0 <ISP 1 Default route> 1 track 1
ASA(config)#route backupisp 0.0.0.0 0.0.0.0 <ISP 2 Default route> 254
Notes: Here we define the default network routes out to the internet. Notice that we define out normal default route with an administrative distance of 1. However, we also add the ‘track 1’ statement at the end. This means that this route being in the routing table is dependant on tracked item 1 (If you don’t know what that means hold on, we’ll get there soon enough). We also install a second route for the backup ISP which HAS to have a higher administrative distance than the primary ISP’s default route.
ASA(config)# track 1 rtr 10 reachability
Notes: This is where the magic happens. The above statement reads like this in plain English. “Keep an eye on SLA monitor 10 and when it fails any routes associated with me also fail”. So what happens is when the SLA monitor fails, the tracked route gets removed from the routing table, and the route with the higher administrative distance comes in and takes its place since its the best available route.
So it’s a pretty cool setup if you are ONLY looking for outbound internet failover. Keep in mind that all of your static NATs, external DNS entries, VPNs, etc won’t work when your primary ISP fails (assuming that’s the IP they are all assigned on). This particular client had me make a primary and a backup PCF file for their Cisco VPN clients so that they could access the VPN when they were in a failover state. Then I just added the backup ISP interface to the crypto map for their client VPN and turned on ISAKMP on the backup ISP interface. Keep in mind though that the backup VPN will only work when the backup ISP circuit is live and the primary VPN will only work when the primary ISP circuit is live. Both will never work at the same time.