Cisco ASA 5506-X Complete Wan Failover Guide

The situation:
Company XYZ has decided to invest in a new internet connection, this connection should be used as a backup. The new WAN connection has been plugged into interface g0/8 of our 5506-X and we are ready to begin the configuration.

The solution from the CLI:

 

Go into the interface

Conf t
Int g0/8

 

Set the interface security to 0 or name it “outside-something” let’s do both

Security-level 0
Nameif outside-backup
Ip address 20.0.3.2 255.255.255.0

 

Create the IP SLA now then track the IP SLA with a track object. The track object will then be referenced in the default route to provide failover in case the IP SLA is down.

Sla monitor 1
Type echo protocol ipicmpecho 8.8.8.8 interface outside
Num-packets 3
Frequency 3
Sla monitor schedule 1 life forever start-time now
Track 1 rtr reachability

 

Now let’s replace the original route

Route outside 0.0.0.0 0.0.0.0 20.0.1.1 track 1
No route outside 0.0.0.0 0.0.0.0 20.0.1.1 1

 

Now let’s setup NAT for the backup ISPĀ 

Nat (inside,outside-backup) after-auto source dynamic any interface

 

Now let’s configure the backup default route with a high AD

Route outside-backup 0.0.0.0 0.0.0.0 20.0.3.1 200

 

Test the IP SLA by turning off the interface and by leaving the interface up but making sure there is no way packets can get to 8.8.8.8. When you disconnect or shut the interface you will find the line goes down which removes the route immediately. However in most situations you will find the link up but the ISP having issues. The SLA will take about 3-5 seconds to take effect.

 

Don’t forget to NAT your webserver as well to the NEW isp (example)

Object network WEBSERVER-PRIV
Nat (inside,outside-backup) static 20.0.3.50 service tcp www www

OR

Nat (inside,outside-backup) static interface service tcp www www

 

 

For our WAN ACLs we could use the same ACL from the outside interface, or create a new one. Here’s how to do both (I recommend use the exisiting)

Access-list NEW_WAN_IN extended permit tcp any host 10.0.0.10 eq 80
Access-group NEW_WAN_IN in interface outside-backup

OR

Access-group <OLD ACL NAME> in interface outside-backup

 

For more info on the cisco asa click here!

For more of my Cisco stuff, click here!

Leave a comment