·
Introduction
·
Requirements
·
Components
Used
·
Network
Diagram
·
Configurations
- CLI Configuration
INTRODUCTION:-
This document describes Configuration of redundant or backup
Internet connections on Pix Firewall or Cisco ASA 5500 series security
appliance. In this example, static route tracking allows the Firewall to use a
secondary WAN link in the event that the primary link becomes unavailable.
To achieve this redundancy, the Firewall we should define a
static route with a monitoring target. The service level agreement (SLA ) operation monitors the target with periodic Internet
Control Message Protocol (ICMP) echo requests. If an echo reply is not
received, the object is considered link is down, and the associated route is
removed from the routing table. A previously configured backup route is used in
place of the route that is removed. While the backup route is in use, the SLA monitor operation continues to try to reach the
monitoring target. Once the target is available again, the first route is
replaced in the routing table, and the backup route is removed.
Requirements:-
Two ISP Links
Components Used:-
Cisco ASA 5520 Series Security Appliance
Cat 6 UTP Cables for connectivity
Netgear 8 Port Ethernet Switch
Working Scenario:-
In this example, the security appliance maintains two different
ISP connections to the Internet.
The Secondary ISP connection is idle as long as the Primary ISP
link is active and the primary ISP gateway is reachable. However, if the
connection to the primary ISP goes down, the security appliance changes the
routing table to direct traffic to Secondary ISP connection. Static route
tracking is used to achieve this redundancy. The security appliance is
configured with a static route that directs all Internet traffic to the primary
ISP. Every 10 seconds the SLA monitor process
checks to confirm that the primary ISP gateway is reachable. If the SLA monitor process determines that the primary ISP
gateway is not reachable, the static route that directs traffic to that
interface is removed from the routing table. In order to replace that static
route, an alternate static route that directs traffic to the secondary ISP is
configured. This alternate static route directs traffic to the Secondary ISP
until the link to the primary ISP is reachable.
This configuration provides a relatively inexpensive way to
ensure that outbound Internet access remains available to users behind the
security appliance.
Network Diagram:-
Configuration:-
Interface Connected to Primary
ISP
interface
Ethernet0
nameif
outside
security−level
0
ip
address 164.164.151.x 255.255.255.0
Interface Connetted to
Secondary ISP
interface
Ethernet1
nameif
backup
security−level
0
ip
address 164.164.117.x 255.255.248.0
Interface Connected to inside
Interface
interface
Ethernet2
nameif
inside
security−level
100
ip
address 172.16.3.1 255.255.255.0
NAT Configuration for Outside
and Backup
global
(outside) 1 interface
global
(backup) 1 interface
nat
(inside) 1 172.16.3.0 255.255.255.0
Below commands is used to
track a static route.
This is the static route to be
installed in the routing
Table while the tracked object
is reachable. The value after the keyword "track" is a tracking ID
route
outside 0.0.0.0 0.0.0.0 164.164.151.1 1
track 1
Below Command is used to
define the backup route, when the tracked object is unavailable.
The administrative distance of
the backup route must be greater than the administrative distance of the
tracked route.
If the primary gateway is
unreachable, that route is removed and the backup route is installed in the
routing table instead of the tracked route
route
backup 0.0.0.0 0.0.0.0 161.164.117.1.1
254
Below commands defines a new
monitoring process with the ID 123 and specifies the monitoring protocol and
the target network availability
Specify the number of packets
to be sent with each poll.
Specify the rate at which the
monitor process repeats (in seconds).
sla
monitor 123
type
echo protocol ipIcmpEcho 164.164.151.1 interface outside
num−packets
3
frequency
10
sla
monitor schedule 123 life forever start−time now
The track ID corresponds to the track ID given to the static
route to monitor:
route outside 0.0.0.0 0.0.0.0 164.164.151.1 1 track 1
"rtr" = Response Time Reporter entry.
track
1 rtr 123 reachability
No comments:
Post a Comment