On Feb 8th, we are doing our monthly maintenance. Our outside setup is done poorly and I'm going to be redoing it with ip sla failover.
Currently we have 3 bonded t1's going into a 2811, and a backup t1 terminating into a different 2811. From each of their interfaces it goes into a 5 port netgear switch, and then that goes into the ASA. My goal is to get rid of the 5 port switch and terminate each 2811's into 2 interfaces on the ASA and set it up for IP SLA monitoring failover. Each router has their own outside ip address, but we dont use them. We have a different set of outside's that we use, so if either router goes down they have the same ip to still work.
I attached a drawing of it so if my explanation below doesn't make sense.
Router A has its T1's ip as 188.8.131.52, and its ethernet's address going to the switch is 184.108.40.206 /24
Router B has its T1's ip as 220.127.116.11, and its ethernet's address going to the switch is 18.104.22.168 /24
The interface on the ASA has 22.214.171.124 /24
Everything that we do relies on the 126.96.36.199 /24 subnet. Its our outside ip address that everyone uses.
I know i'll have to change the ip's around a little since the asa will have 2 ports terminating 2 WAN links that have the same subnet. So the next step would be
Router A has 188.8.131.52 /25
Router B has 184.108.40.206 /25 (this is the backup)
ASA port A has 220.127.116.11 /25
ASA port B has 18.104.22.168 /25 (this is the backup)
I've read and wrote down everything for the 8th. I have all the commands setup so i can just move the cables and copy the config. But i do have a few questions concerning the backup. We use alot of static routes to go Outside to Inside and Outside to DMZ (those are the interface names). We have about 50 static routes, and our 2 main ACL's (Outside_ACL and DMZ_ACL) equal around 300 lines.
For all the static routes that we have configured, like for example,
static (Inside,Outside) 22.214.171.124 192.168.1.50 netmask 255.255.255.255
When the Outside interface goes down, how would the ASA know that data coming to 126.96.36.199 is suppose to go to 192.168.1.50 on the inside? Would I have to create a duplicate static route and just change Outside to Backup?
Also, would I have to copy the Outside_ACL and make the same copy and call it Backup_ACL and put it on the Backup interface?
If something doesn't make sense, ill try and clarify it better. But does everything look ok? I want to be prepared so when the 8th comes, I'll have everything ready and it should go smoothly.
I know this is alot, and I hope someone could shed some light on this for me. Thanks. Drawing1.jpg