In this tutorial, we are going to learn how to establish a connection with multiple internet service providers from the Cisco ASA firewall. If one ISP connection is broken then all the traffic will move to the second ISP connection automatically.
We assume that we have two ISP's connections. Respectively, they are ISP-1 and ISP-2. We also assume that we got two public IP addresses as well as two gateway addresses from our ISP. The public IP address for ISP-1 is 1.1.1.1 and the gateway address for ISP-1 is 10.10.10.10. Similarly, the public IP address for ISP-2 is 2.2.2.2 and the gateway address for ISP-2 is 20.20.20.20.
Moreover, we assume that we will use three interfaces from our firewall device. Respectively, these interfaces are "Gigabit Ethernet 1/1", "Gigabit Ethernet 1/2", and "Gigabit Ethernet 1/3". We will assign a unique name for these interfaces. The name will be "Outside" for our "Gigabit Ethernet 1/1" interface. Similarly, the name will be "Oustside2" for our "Gigabit Ethernet 1/2" interface. In the same way, the name will be "Inside" for our "Gigabit Ethernet 1/3".
The ISP-1 is going to be connected with the "Gigabit Ethernet 1/1" which means "Outside" interface. We will configure the 1.1.1.1 IP address in this interface. The ISP-2 is going to be connected with the "Gigabit Ethernet 1/2" which means "Outside2" interface. The 2.2.2.2 IP address will be configured in this interface. The local network or LAN is going to be connected with the "Gigabit Ethernet 1/3" which means "Inside" interface. The Local Network will be 192.168.1.0/24. We will configure the 192.168.1.254 IP address in this "Inside" interface.
At first, we will configure NAT for our ISP and then we will configure the default route for both of them.
Now we will configure NAT for ISP-1. One screenshot along with NAT configuration is given below:-
In the "Advanced" option, select the appropriate "Source Interface" and "Destination interface." According to our scenario, the configuration is given below:-
Now we will configure NAT for ISP-2. The screenshot is given below:-
Now make sure the "Source Interface" and the "Destination Interface" are selected appropriately.
Our NAT configuration is done. Now we will configure the default route. According to our scenario, our ISP-1 gateway address is 10.10.10.10 and the ISP-2 gateway address is 20.20.20.20. As we have two ISP connections that's why we have to configure two default routes. One default route for ISP-1 and one for ISP-2.
By default, all the traffic will be forwarded using the ISP-1 link. If the ISP-1 link is broken then the ISP-2 link will be activated. Later, the time when ISP-1 will back, then all traffic switch back to ISP-1 link again, and the ISP-2 link will be deactivated.
Now we will configure the default route for ISP-1. In the "Interface" field we will select the "Outside" interface since it is our ISP-1 interface. In the network field, write the 0.0.0.0 address and in the "Gateway IP" field, write the ISP-1 gateway IP address that is 10.10.10.10. In the "Metric" field, write the "1" as the value. One screenshot is given below:-
Now we will configure the default route for ISP-2. In the "Interface" field we will select the "Outside2" interface since it is our ISP-2 interface. In the network field, write the 0.0.0.0 address and in the "Gateway IP" field, write the ISP-2 gateway IP address that is 20.20.20.20. In the "Metric" field, write the "2" as the value. One screenshot is given below:-
Our gateway configuration has been done. From now on if the ISP-1 link is going down then all the internet traffic switches to the ISP-2 link automatically.
Between two of these gateways, we have prioritized the ISP-1 link using the "Metric" value. The lowest metric value will have the first access. In this example, the metric value for the ISP-1 is "1" and the metric value for the ISP-2 is "2". Since the metric value of the ISP-1 is less than the ISP-2, that's why ISP-1 will be preferred here.
From now on all traffic will go through the ISP-1 first. Later, if the link of ISP-1 is down or broken then all the traffic will be diverted to ISP-2. Whenever the ISP-1 link is reactivated, all traffic will return to ISP-1.
But this process is not effective if the link is broken between ISP-1 and their gateway. In this case, you are going to be disconnected from the internet connection because ISP-1 has no internet connectivity. The router will not be going to switch to ISP-2 because the link between our firewall and ISP-1 is reachable. In this situation, this process is not going to work.
In this case, we will configure a route tracking system along with route configuration. We will assign a server IP address that is located on the internet. The firewall continuously will send the PING request to that remote server to check whether it is available or not. If the firewall doesn't get any response from that server for a specific period of time then it will deactivate the ISP-1 link and will forward all the traffic to the ISP-2 link.
Now we will configure the route tracking system for ISP-1. Just click on the "Tracked" radio button from the route configuration page. Write one track ID number in the "Track ID" field. You can use any random number you want. Write one SLA ID number in the "SLA ID" field. Here, you can use random numbers also. In the "Target IP Address" field, write the remote server IP address that we want to trace. Here, we are using the Google DNS server address. You can use any server address that is located on the internet. From the "Target Interface" field, select the "Outside" interface from the list that is used to reach that remote server. According to our scenario, it will be the "Outside" means "Gigabit Ethernet 1/1" interface.
In the "Monitoring Options", adjust the monitoring parameter as your requirement.
That's all the configuration we have to complete. From now on if the firewall didn't get any response from that 8.8.8.8 server for the 5000 milliseconds times then this route will be deactivated and the ISP-2 route will be activated.
No comments:
Post a Comment