Dual WAN on Cisco ASA
This article describes how to configure Dual WAN connection on Cisco ASA. If you need to configure the same on any Cisco router like Cisco 881 then read the article “IP SLA on Cisco router”
Sooner or later, every network administrator encounters a channel going down, whether it is an ISP uplink to the Internet or a WAN circuit to some other resources. Most of the time this serves as that “a-ha” moment that forces us to think about creating some kind of a backup mechanism (too bad that we didn’t think about such things in advance!). Yet, if there are two ISPs available, you have the opportunity to configure a redundant connection scheme that will help you avoid downtime.
Ideally, you would place a router, connect two ISPs to it, reserve an autonomous system with public IP addresses and configure a fully redundant connection scheme with BGP protocol (Cisco ASA series support BGP only on 5500X models and with the latest versions of IOS). However, this approach suits only large companies with enough resources, capacity, and trained personnel.
In most cases configuring a backup ISP to be used in case of main channel failure is the most adequate solution. Cisco ASA devices have the capability to monitor the availability of the primary ISP channel and switching over to the configured backup in case of its failure (when the gateway fails to respond to ICMP requests over several seconds).
Let’s see how we can configure this.
Let us look at the following example: we have a Cisco ASA 5505, which connects our office to the Internet through ISP 1 via the Ethernet 0/1 interface. You can read the detailed setup in the “Cisco ASA Basics. Connecting to the Internet” article. We have connected an additional service provider, ISP 2, to the interface Ethernet 0/2 (see the diagram).
Our task: configure a fault-tolerant Internet connection scheme (dual WAN)
Step 1. Check the routes
First, let us check the current configured routes on the device. The easiest way to do so will be the “sh run | inc route” command, which will output the running configuration lines that contain the word “route”:
FW-DELTACONFIG-1# sh run | inc route
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
If we translate this into normal language, we will get the following:
“Redirect all packets, which I don’t know, into the “outside” interface through the gateway 1.1.1.1”
Cisco ASA “knows” only those networks that are directly connected to its interfaces or that are entered as routes in its running configuration.
Step 2. Configure interfaces for the use of secondary ISP
Our firewall already has an interface name “outside” (Ethernet 0/1, VLAN 2) that connects to the primary ISP. The running configuration (available through the “sh run” command) has the following lines:
FW-DELTACONFIG-1# sh run
/...cut.../
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252
/...cut.../
interface Ethernet0/1
switchport access vlan 2
/...cut.../
Let’s add the configuration for the backup ISP that is connected to interface Ethernet 0/2, VLAN 3:
FW-DELTACONFIG-1 (config)#
interface Vlan 3
nameif outside_backup
security-level 0
ip address 2.2.2.2 255.255.255.252
interface Ethernet0/2
switchport access vlan 3
no shut
If all cables are properly connected and the configuration is correct, then you shall be able to reach the gateway of the backup ISP:
FW-DELTACONFIG-1 # ping 2.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/20 ms
Step 3. Configure monitoring of the ISP’s availability
In order for the firewall Cisco ASA to monitor the availability of the primary channel, we need to configure the “ip sla monitor” function. It allows to send a ping request (an ICMP echo request) to the ISP 1’s gateway address at configured time intervals. Receiving a response (ICMP echo reply) will mean that the channel is available.
FW-DELTACONFIG-1 (config)#
sla monitor 1
type echo protocol ipIcmpEcho 1.1.1.1 interface outside
timeout 3000
threshold 10000
frequency 5
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
Additional information:
timeout 3000 – is the timeframe within which Cisco ASA will await for an ICMP response. 3000 => 3 seconds
frequency 5 – how often to send the requests. Here is every 5 seconds
threshold 10000 – a delay for the operation of 10 seconds, during which no actions are taken
Step 4. Configure the default gateway for the backup ISP
Just like with the primary ISP, the backup ISP needs to have its default gateway configured on the Cisco ASA, so that the firewall will send all the unknown packets in its direction. The only difference is that this gateway should only be used in case the primary ISP is unavailable and not clog the routing table in all other cases. To achieve this, we need to change the administrative distance of the route – make it bigger, thus lowering the priority of this route. By default, all static routes have an administrative distance of 1. We will configure an administrative distance of 250 for our backup channel, bringing it closer to the highest possible value.
FW-DELTACONFIG-1 (config)#
route outside_backup 0.0.0.0 0.0.0.0 2.2.2.1 250
After we add this configuration, our default routes should look like this:
FW-DELTACONFIG-1# sh run | inc route
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route outside_backup 0.0.0.0 0.0.0.0 2.2.2.1 250
Step 5. Activate the backup mechanism
The final step for configuring a backup channel on a Cisco ASA is to turn on the monitoring function (ip sla) for the primary ISP.
To achieve this, we add a new line of configuration for the default route, using the track 1 remark and remove the old configuration:
FW-DELTACONFIG-1 (config)#
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1
no route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
Now we have the following configuration for the default routes:
FW-DELTACONFIG-1# sh run | inc route
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1
route outside_backup 0.0.0.0 0.0.0.0 2.2.2.1 250
Important!
You should take into consideration any other configured static routes on your device.
Important!
You also have to configure the access lists and NAT rules to use the backup ISP. Add identical rules and apply them to the outside_backup interface.
Checking the IP SLA monitoring function state
In order to see the state of the IP SLA working on your device, use the show sla monitor operational-state command:
FW-DELTACONFIG-1# show sla monitor operational-state
Entry number: 1
Modification time: 12:02:29.993 MSK Mon Aug 17 2015
Number of Octets Used by this Entry: 1480
Number of operations attempted: 39
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 10
Latest operation start time: 12:05:39.997 MSK Mon Aug 17 2015
Latest operation return code: OK
RTT Values:
RTTAvg: 10 RTTMin: 10 RTTMax: 10
NumOfRTT: 1 RTTSum: 10 RTTSum2: 100
The output of this command gives all information and statistics of the IP SLA function. This will be very useful if you need to troubleshoot the setup and operation.
Important!
Don’t forget to save the changes you made to the configuration with the write or copy run start commands. Otherwise you will lose all changes after the next reload.
This article was written by Alexey Yurchenko