Hi Guys,
You may get a situation in real life to configure your PIX/ASA firewall with two Internet connections for redundancy. In this post I would like to explain how to achieve this.
The scenario may look like following:
Interface Configuration:
ASA5510(config)# int e0
ASA5510(config-if)# nameif outside // Security level will be 0 by default
ASA5510(config-if)# ip address 10.1.1.2 255.255.255.0
ASA5510(config-if)# no shutdown
ASA5510(config-if)# exit
ASA5510(config)# int e1
ASA5510(config-if)# nameif backup
ASA5510(config-if)# security-level 0
ASA5510(config-if)# ip address 10.100.1.2 255.255.255.0
ASA5510(config-if)# no shutdown
ASA5510(config-if)# exit
ASA5510(config)# int e2
ASA5510(config-if)# nameif inside //Security level will be 100 by defalut
ASA5510(config-if)# ip add 192.168.10.1 255.255.255.0
ASA5510(config-if)# no shutdown
ASA5510(config-if)# exit
NAT Configuration:
ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0
ASA5510(config)# global (outside) 1 interface
ASA5510(config)# global (backup) 1 interface
Route Configuration:
Enter this command in order to
track a static route. This is the static route to be installed in the
routing table while the tracked object is reachable. The value after the
keyword "track" is a tracking ID you specify.
ASA5510(config)# route outside 0.0.0.0 0.0.0.0 10.1.1.1 track 1
Define the backup route to use
when the tracked object is unavailable. The administrative distance of
the backup route must be greater than the administrative distance of the
tracked route. If the primary gateway is unreachable, that route is
removed and the backup route is installed in the routing table instead of the tracked route.
ASA5510(config)# route backup 0.0.0.0 0.0.0.0 10.100.1.1 250
Now our firewall is ready for internet traffic. Lets make it ready for failover.
Configure a new monitoring process with the ID 123. Specify the monitoring protocol and the target network object whose availability the tracking process monitors. Specify the number of packets to be sent with each poll. Specify the rate at which the monitor process repeats (in seconds).
ASA5510(config)# sla monitor 123
ASA5510(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outside
ASA5510(config-sla-monitor-echo)# num-packets 3
ASA5510(config-sla-monitor-echo)# frequency 10
ASA5510(config-sla-monitor-echo)# exit
Schedule the monitoring process. In this case the lifetime of the process is specified to be forever. The process is scheduled to begin at the time this command is entered. As configured, this command allows the monitoring configuration specified above to determine how often the testing occurs. However, you can schedule this monitoring process to begin in the future and to only occur at specified times.
ASA5510(config)# sla monitor schedule 123 life forever start-time now
Associate a tracked static route with the SLA monitoring process. The track ID corresponds to the track ID given to the static route to monitor: route outside 0.0.0.0 0.0.0.0 10.0.0.2 1 track 1. "rtr" = Response Time Reporter entry. 123 is the ID of the SLA process defined above.
ASA5510(config)# track 1 rtr 123 reachability
Now our Firewall is ready to failover on two Internet Links. Save the configuration and enjoy.
ASA5510# write
Reference: Cisco Configuration Guides
No comments:
Post a Comment