Company XYZ has decided to invest in a new internet connection, this connection should be used as a backup. The new WAN connection has been plugged into interface g0/8 of our 5506-X and we are ready to begin the configuration.
The solution from the CLI:
Go into the interface
Conf t Int g0/8
Set the interface security to 0 or name it “outside-something” let’s do both
Security-level 0 Nameif outside-backup Ip address 220.127.116.11 255.255.255.0
Create the IP SLA now then track the IP SLA with a track object. The track object will then be referenced in the default route to provide failover in case the IP SLA is down.
Sla monitor 1 Type echo protocol ipicmpecho 18.104.22.168 interface outside Num-packets 3 Frequency 3 Sla monitor schedule 1 life forever start-time now Track 1 rtr reachability
Now let’s replace the original route
Route outside 0.0.0.0 0.0.0.0 22.214.171.124 track 1 No route outside 0.0.0.0 0.0.0.0 126.96.36.199 1
Now let’s setup NAT for the backup ISP
Nat (inside,outside-backup) after-auto source dynamic any interface
Now let’s configure the backup default route with a high AD
Route outside-backup 0.0.0.0 0.0.0.0 188.8.131.52 200
Test the IP SLA by turning off the interface and by leaving the interface up but making sure there is no way packets can get to 184.108.40.206. When you disconnect or shut the interface you will find the line goes down which removes the route immediately. However in most situations you will find the link up but the ISP having issues. The SLA will take about 3-5 seconds to take effect.
Don’t forget to NAT your webserver as well to the NEW isp (example)
Object network WEBSERVER-PRIV Nat (inside,outside-backup) static 220.127.116.11 service tcp www www
Nat (inside,outside-backup) static interface service tcp www www
For our WAN ACLs we could use the same ACL from the outside interface, or create a new one. Here’s how to do both (I recommend use the exisiting)
Access-list NEW_WAN_IN extended permit tcp any host 10.0.0.10 eq 80 Access-group NEW_WAN_IN in interface outside-backup
Access-group <OLD ACL NAME> in interface outside-backup