Configuring ISP failover on a Cisco ASA

I had the opportunity to configure ISP failover on an ASA the other day and I thought I’d share the configuration as well as a couple of tips on using it.  I recall that when I started working on ASA’s I would always read that ‘dual ISP’ support was a feature of the Security Plus (Sec+) licensing set.  To me, that always meant that it was its own feature and had its own configuration commands.  As it turns out, that’s not the case.  In fact, the only reason you really need Sec+ to accomplish this is so that you have can have an additional ‘full’ interface.  The rest of the configuration is really just a SLA monitor, tracked default routes, and a extra global NAT pool.  Let’s walk through the configuration on a 5505.  I’m going to only touch the major parts of this so please don’t consider this a full build.

Notes
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them

Configure your interfaces
Inside Interface

ASA(config)# interface Vlan1
ASA(config-if)#description Inside Interface
ASA(config-if)# nameif inside
ASA(config-if)# ip address <Inside IP> <Inside Mask>

Outside Interface
ASA(config)# interface Vlan2
ASA(config-if)# description Primary ISP
ASA(config-if)# nameif outside
ASA(config-if)# ip address <ISP 1 IP> <ISP 1 Mask>

Backup ISP Interface
ASA(config)# interface Vlan3
ASA(config-if)# description Backup ISP
ASA(config-if)# nameif backupisp
ASA(config-if)# security-level 0
ASA(config-if)# ip address <ISP 2 IP> <ISP 2 Mask>

Assign them to switchports
ASA(config)# interface Ethernet0/0
ASA(config-if)# switchport access vlan 2
ASA(config)# interface Ethernet0/1
ASA(config-if)# switchport access vlan 3
Notes: VLAN 1 is the default so I’m not assigning it, just use one of the other ports for it.

Configure NAT
Define your Global pools
ASA(config)# global (outside) 1 <An IP in your Primary ISPs pool that you want to use for NAT/PAT>
ASA(config)# global (backupisp) 1 <An IP in your Backup ISPs pool that you want to use for NAT/PAT>
Notes: You need to define both the primary and backup address as global pools to match up against the NAT pool.  I totally forgot about that during the install and couldn’t figure out why I wasn’t passing traffic.

Define your inside NAT
ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0
Notes: Some people use a specific network here, I always just use 0 0 if its a small setup

Configure the SLA Monitor
ASA(config)# sla monitor 10
ASA(config-sla-monitor)# type echo protocol ipIcmpEcho 4.2.2.2 interface outside
ASA(config-sla-monitor-echo)# num-packets 3
ASA(config-sla-monitor-echo)# timeout 1000
ASA(config-sla-monitor-echo)# frequency 3
ASA(config)# sla monitor schedule 10 life forever start-time now
Notes: Ok, so here is the actual ‘failover’ piece of all of this. So I’ll break it down piece by piece. 
Line 1 – Configures a SLA monitor with the ID of 10
Line 2 – Configures the monitoring protocol and the target of the monitoring probe.  In this case I chose 4.2.2.2 since I have been able to ping that magical IP address since the beginning of time.  You also need to tell it which interface to source the ICMP traffic from.  In this case, it would be the outside interface. 
Line 3 – Sets the number of packets to be sent in each probe.
Line 4 – Configures the timeout period in milliseconds. 
Line 5 – Configures the frequency of the probe in seconds. 
Line 6 – Instructs the ASA to start SLA monitor 10 now and let it run for forever.
 

Configure the Route tracking
ASA(config)#route outside 0.0.0.0 0.0.0.0 <ISP 1 Default route> 1 track 1
ASA(config)#route backupisp 0.0.0.0 0.0.0.0 <ISP 2 Default route> 254
Notes: Here we define the default network routes out to the internet.  Notice that we define out normal default route with an administrative distance of 1.  However, we also add the ‘track 1’ statement at the end.  This means that this route being in the routing table is dependant on tracked item 1 (If you don’t know what that means hold on, we’ll get there soon enough).  We also install a second route for the backup ISP which HAS to have a higher administrative distance than the primary ISP’s default route. 

ASA(config)# track 1 rtr 10 reachability
Notes: This is where the magic happens.  The above statement reads like this in plain English.  “Keep an eye on SLA monitor 10 and when it fails any routes associated with me also fail”.  So what happens is when the SLA monitor fails, the tracked route gets removed from the routing table, and the route with the higher administrative distance comes in and takes its place since its the best available route. 

Summary
So it’s a pretty cool setup if you are ONLY looking for outbound internet failover.  Keep in mind that all of your static NATs, external DNS entries, VPNs, etc won’t work when your primary ISP fails (assuming that’s the IP they are all assigned on).  This particular client had me make a primary and a backup PCF file for their Cisco VPN clients so that they could access the VPN when they were in a failover state.  Then I just added the backup ISP interface to the crypto map for their client VPN and turned on ISAKMP on the backup ISP interface.  Keep in mind though that the backup VPN will only work when the backup ISP circuit is live and the primary VPN will only work when the primary ISP circuit is live.  Both will never work at the same time.

18 thoughts on “Configuring ISP failover on a Cisco ASA

  1. tim

    Great doc. Just some added notes as I’ve done this before.

    The vpn client allows a backup vpn server, you can add the secondary isp ip address there and only deploy one pcf file.

    Also you can use secondary mx records to ensure inbound email continues to flow.

    Reply
  2. Rajat

    Hi,
    When the backup ISP/route is used, how the device knows to NAT the private addresses to the backup ISP global IP??

    Reply
    1. admin

      Good question! Im assuming you are asking how the local NAT client now which PAT to use? We simply add both global pools (PAT addresses) to the same inside local pool (1). Like this….. ‘global (backupisp) 1’. The rest of it is route tracking for the default route. Make sense?

      Reply
  3. Kevin Miles

    I have this configured and the fail over works just fine. The problem I have is it won’t switch back after the primary internet comes back up.

    config
    route outside 0.0.0.0 0.0.0.0 10.1.1.42 1 track 1
    route backup 0.0.0.0 0.0.0.0 10.2.2.43 255

    sla monitor 123
    type echo protocol ipIcmpEcho 10.2.1.1 interface outside
    num-packets 3
    frequency 10
    sla monitor schedule 123 life forever start-time now

    track 1 rtr 123 reachability

    Reply
    1. Kevin Miles

      Got the answer somewhere else but here it is. I was using the primary connection’s default gateway as the monitor address. I had to do a trace route to some other address on the internet and set the monitor address one step past the default gateway. Now it works like a charm.

      Reply
      1. arda

        can you please explain for more details….
        when the primary ISP up again how set it up automatically used the primary/default ISP from backup ISP

        Reply
  4. Mohamed Ansary

    please help me;
    – i need to make the same but with two lines that carry the VPN traffic is it possible,

    – also if i need to make PBR from my ASA (as i know that its not supported PBR on Cisco ASA devices) but i have this issue —–> what i have to do, i hope any one here meet this issue before and fined any solution to it.

    Thanks

    Reply
  5. Mark J

    I’ve got the exact same question as Mohamed but in my case I’m using a 5520 and am hoping to be able to keep IPSec tunnels up. To top it off, dynamic IP’s – is it possible to do this as well as use hostnames instead of peer ip addresses?

    Thank you for your post!

    Reply
    1. Jon Langemak Post author

      Hi Mark, are you trying to use hostnames as part of the routes? You should be able to as long you are confident that it will always resolve correctly. IPSec tunnels staying up are something I havent tested but Id be interested to hear your results.

      Reply
      1. Mark J

        Hi Jon,

        I’m actually trying to use hostnames as the peer on each side (rather than a static IP). I was going to keep the hostnames up to date via a DynDNS like service but am not having much luck finding out if an IPSec tunnel is able to be configured peer to peer using hostnames only.

        Reply
  6. mike

    I realize I am writing on old post, hoping to get a reply…

    When My Primary ISP goes down, it does fail over to secondary. However, when the primary ISP comes back online, the connections does not switch back to Primary ISP, routes etc., I actually have to turn off Tracking to switch to main ISP, even disabling secondary interface or pulling cable does not switch, unless I turn off route tracking. Is there any suggestion or fix for this? I am running 9.4(1)

    Reply
    1. Malik

      Hi Mike,

      Not sure if you got your answer,or resolved the issue already. On previous message Kevin miles run into a similar situation and resolved his issue by using an ip other then the default gateway and beyond the default gateway such us 8.8.8.8 ( any ip that’s accessible outside your network). I have not configured this myself, but it makes sense.

      here’s Kevin’s note:
      Got the answer somewhere else but here it is. I was using the primary connection’s default gateway as the monitor address. I had to do a trace route to some other address on the internet and set the monitor address one step past the default gateway. Now it works like a charm.

      Reply
  7. Moses

    I did configure dual ISP as per below.Both public IPs are pingable from the internet.I dont like this.I only want a situation where only one active IP is pingable from the internet.

    FW# sh run | i sla monitor
    sla monitor 1
    sla monitor schedule 1 life forever start-time now
    sla monitor 2
    sla monitor schedule 2 life forever start-time now
    FW# sh run | i rea
    FW# sh run | i reac
    FW# sh run | i reachability
    track 1 rtr 1 reachability
    track 2 rtr 2 reachability
    FW# sh run | i tra
    FW# sh run | i track
    route OUTSIDE 0.0.0.0 0.0.0.0 197.XX.XX.21 1 track 1
    route OUTSIDE_2 0.0.0.0 0.0.0.0 10.XX.XX.254 2 track 2
    track 1 rtr 1 reachability
    track 2 rtr 2 reachability
    FW#

    Reply
  8. Sumit

    I have a question related with the backup ISP configuration.
    If our Primary ISP is working and we are adding secondary ISP then what type of changes required at ACL/NAT level. Do i need to Modify ACl and NAT configuration for Backup ISP or just need to add the route.
    Thanks!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *