Thursday, 18 February 2016

Setting up route redundancy on the ASA

For this tutorial we will have an ASA with an inside inferface and two outside interfaces as below:

conf t
int g0/0
nameif inside
security-level 100
ip address 10.0.0.2 255.255.255.0
no shut

int g0/1
nameif outside
security-level 0
ip address 55.66.77.2 255.255.255.240
no shut

int g0/2
nameif outsidebackup
security-level 0
ip address 66.77.88.2 255.255.255.240
no shut
exit

We should now configure dynamic PAT:

object network Inside_Network
 nat (inside,outside) dynamic interface
object network inside_network
 nat (inside,outsidebackup) dynamic interface

Proceeding by defining primary default route:

route outside 0.0.0.0 0.0.0.0 55.66.77.2 1 track 1

Note: The route will not be present in the route table until we have setup the SLA monitor - don't worry! The 'track 1' defines which SLA tracking number the route will be tied to.

We should now define the backup / secondary default route with a metric of 254

route outsidebackup 0.0.0.0 0.0.0.0 66.77.88.2 254

Proceed by creating an SLA monitor that will use ICMP to check whether the remote gateway is available:

sla monitor 100
 type echo protocol ipIcmpEcho 55.66.77.1 interface outside
 num-packets 3
 frequency 10

Schedule the monitoring process to start now:

sla monitor schedule 100 life forever start-time now

Now assosiate the tracked static route we created with the SLA.

track 1 rtr 100 reachability

We can now review the state of the monitor with:

show sla monitor operational-state

We are specifically intested in 'Latest operation return code' - which should equal 'OK' if all is good.

Finally we can review view and debug SLA configuration with:

show sla monitor configuration

and

debug sla monitor

0 comments:

Post a comment