This post describes how to configure a Cisco ASA firewall for redundant/dual ISP connections, using the IP SLA and track features. IP SLA will be configured in conjunction with the track feature to monitor the connection/reachability to the Primary ISP connection. In the event of failure, the primary default route will be removed and will failover to a backup route.
Configuration
- Route-map ISP1NAT permit 10. Match ip address NATACL. Match interface GigabitEthernet0/1! Route-map ISP2NAT permit 10. Match ip address NATACL. Match interface GigabitEthernet0/2! Ip nat inside source route-map ISP1NAT interface GigabitEthernet0/1 overload! Ip nat inside source route-map ISP2NAT interface GigabitEthernet0/2 overload!
- If you are dealing with internal machines that need an external presence, then to use the SonicWall for ISP failover, you will have to NAT both addresses, each to an address from each ISP. However, you are going to have to use some sort of DNS scheme to manage the DNS so traffic is routed only to your addresses on ISPs that are up.
Nat Failover With Dual Isp Connection
NAT failover with DUAL ISP on a router Configuration Example. Why do we need to specify a route-map to let the router know which interface to use if a public ip is already assigned to each interface? 'By using route-maps and 'match interface' option, we can achieve failover for Static NAT translation as well which is generally configured when. The instructions show how NAT and multilink policy are implemented to balance the load. You can also assign a metric to each ISP connection. You may also want to check out the Barracuda Link Balancer which claims to offer cost-effective Internet Performance and Availability by dynamically balancing traffic across multiple ISP links. Configure Dual ISP load balancing on Single Cisco Router. The first thing that we need to do here to have ISP load balancing with multiple internet connections is to configure dynamic NAT, dynamic network address translation, on Cisco router R1 that connected directly to two ISP.
Configure the 2 outside interfaces, in this case PRIMARY and SECONDARY will be used to identify the outside interfaces.
Create nat rules for traffic routed out of the primary and secondary interfaces.
Nat Failover With Dual Isp Dhcp
Create an SLA monitoring process, which will periodically send ICMP echo requests to the IP address of the next hop (ISP router) and from the primary interface.
Schedule the SLA process to start immediately with a lifetime of forever.
Create a track ID, the “rtr” references the SLA ID. The track ID will be used in conjunction with static default route.
Define a default route via the PRIMARY interface, referencing the track object.
Create a backup default route via the SECONDARY interface with an administrative distance greater than the tracked default route.
Verification
From a test computer ping an IP address on the internet, e.g. 8.8.8.8
Confirm traffic is being routed out of the PRIMARY interface
Confirm that traffic is hitting the correct NAT rule
Confirm the status of the IP SLA enter the command show sla monitor operational-state, ensure timeout equals FALSE.
Confirm that reachabilty of the track is Up, use the command show track
Shutdown the interface of the PRIMARY interface
Confirm the status of the reachability of the track is Down
Confirm the default route is now via the SECONDARY interface.
Confirm traffic is natted by the correct NAT rule
Re-establishing connectivity via the PRIMARY interface will result in the default route via the PRIMARY interface being installed in the routing table.