Company XYZ has decided to invest in a new internet connection, this connection should be used as a backup. The new WAN connection has been plugged into interface g0/8 of our 5506-X and we are ready to begin the configuration.
The solution from the CLI:
Go into the interface
Conf t Int g0/8
Set the interface security to 0 or name it “outside-something” let’s do both
Security-level 0 Nameif outside-backup Ip address 22.214.171.124 255.255.255.0
Create the IP SLA now then track the IP SLA with a track object
Sla monitor 1 Type echo protocol ipicmpecho 126.96.36.199 interface outside Num-packets 3 Frequency 3 Sla monitor schedule 1 life forever start-time now Track 1 rtr reachability
Now let’s replace the original route
Route outside 0.0.0.0 0.0.0.0 188.8.131.52 track 1 No route outside 0.0.0.0 0.0.0.0 184.108.40.206 1
Now let’s setup NAT for the backup ISP (note this is for the new code ASAs, also if you have a DMZ you should add the nat for that as well)
Nat (inside,outside-backup) after-auto source dynamic any interface
Now let’s configure the backup default route with a high AD
Route outside-backup 0.0.0.0 0.0.0.0 220.127.116.11 254
Test the IP SLA by turning off the interface and by leaving the interface up but making sure there is no way packets can get to 18.104.22.168. When you disconnect or shut the interface you will find the line goes down which removes the route immediately. However in most situations you will find the link up but the ISP having issues. The SLA will take about 3-5 seconds to take effect.
Don’t forget to NAT your webserver as well to the NEW isp (example)
Object network WEBSERVER-PRIV Nat (inside,outside-backup) static 22.214.171.124 service tcp www www
Nat (inside,outside-backup) static interface service tcp www www
For our WAN ACLs we could use the same ACL from the outside interface, or create a new one. Here’s how to do both (I recommend use the exisiting)
Access-list NEW_WAN_IN extended permit tcp any host 10.0.0.10 eq 80 Access-group NEW_WAN_IN in interface outside-backup
Access-group <OLD ACL NAME> in interface outside-backup
If our new link to the ISP was a /29 or bigger, we could 1:1 or NAT specific ports to hosts on the DMZ or LAN, and the ASA would proxy arp. If our link was a /30 and we were ROUTED a /29 or bigger then even if we were NATing our just Routing those IP s we do NOT need proxy arp on our outside interfaces.