IP SLA monitoring on ASA
On Feb 8th, we are doing our monthly maintenance. Our outside setup is done poorly and I'm going to be redoing it with ip sla failover.
Currently we have 3 bonded t1's going into a 2811, and a backup t1 terminating into a different 2811. From each of their interfaces it goes into a 5 port netgear switch, and then that goes into the ASA. My goal is to get rid of the 5 port switch and terminate each 2811's into 2 interfaces on the ASA and set it up for IP SLA monitoring failover. Each router has their own outside ip address, but we dont use them. We have a different set of outside's that we use, so if either router goes down they have the same ip to still work.
I attached a drawing of it so if my explanation below doesn't make sense.
Router A has its T1's ip as 2.2.2.2, and its ethernet's address going to the switch is 1.1.1.1 /24
Router B has its T1's ip as 3.3.3.3, and its ethernet's address going to the switch is 1.1.1.2 /24
The interface on the ASA has 1.1.1.4 /24
Everything that we do relies on the 1.1.1.0 /24 subnet. Its our outside ip address that everyone uses.
I know i'll have to change the ip's around a little since the asa will have 2 ports terminating 2 WAN links that have the same subnet. So the next step would be
Router A has 1.1.1.1 /25
Router B has 1.1.1.129 /25 (this is the backup)
ASA port A has 1.1.1.2 /25
ASA port B has 1.1.1.130 /25 (this is the backup)
I've read and wrote down everything for the 8th. I have all the commands setup so i can just move the cables and copy the config. But i do have a few questions concerning the backup. We use alot of static routes to go Outside to Inside and Outside to DMZ (those are the interface names). We have about 50 static routes, and our 2 main ACL's (Outside_ACL and DMZ_ACL) equal around 300 lines.
For all the static routes that we have configured, like for example,
static (Inside,Outside) 1.1.1.50 192.168.1.50 netmask 255.255.255.255
When the Outside interface goes down, how would the ASA know that data coming to 1.1.1.50 is suppose to go to 192.168.1.50 on the inside? Would I have to create a duplicate static route and just change Outside to Backup?
Also, would I have to copy the Outside_ACL and make the same copy and call it Backup_ACL and put it on the Backup interface?
If something doesn't make sense, ill try and clarify it better. But does everything look ok? I want to be prepared so when the 8th comes, I'll have everything ready and it should go smoothly.
I know this is alot, and I hope someone could shed some light on this for me. Thanks.
Drawing1.jpg
Currently we have 3 bonded t1's going into a 2811, and a backup t1 terminating into a different 2811. From each of their interfaces it goes into a 5 port netgear switch, and then that goes into the ASA. My goal is to get rid of the 5 port switch and terminate each 2811's into 2 interfaces on the ASA and set it up for IP SLA monitoring failover. Each router has their own outside ip address, but we dont use them. We have a different set of outside's that we use, so if either router goes down they have the same ip to still work.
I attached a drawing of it so if my explanation below doesn't make sense.
Router A has its T1's ip as 2.2.2.2, and its ethernet's address going to the switch is 1.1.1.1 /24
Router B has its T1's ip as 3.3.3.3, and its ethernet's address going to the switch is 1.1.1.2 /24
The interface on the ASA has 1.1.1.4 /24
Everything that we do relies on the 1.1.1.0 /24 subnet. Its our outside ip address that everyone uses.
I know i'll have to change the ip's around a little since the asa will have 2 ports terminating 2 WAN links that have the same subnet. So the next step would be
Router A has 1.1.1.1 /25
Router B has 1.1.1.129 /25 (this is the backup)
ASA port A has 1.1.1.2 /25
ASA port B has 1.1.1.130 /25 (this is the backup)
I've read and wrote down everything for the 8th. I have all the commands setup so i can just move the cables and copy the config. But i do have a few questions concerning the backup. We use alot of static routes to go Outside to Inside and Outside to DMZ (those are the interface names). We have about 50 static routes, and our 2 main ACL's (Outside_ACL and DMZ_ACL) equal around 300 lines.
For all the static routes that we have configured, like for example,
static (Inside,Outside) 1.1.1.50 192.168.1.50 netmask 255.255.255.255
When the Outside interface goes down, how would the ASA know that data coming to 1.1.1.50 is suppose to go to 192.168.1.50 on the inside? Would I have to create a duplicate static route and just change Outside to Backup?
Also, would I have to copy the Outside_ACL and make the same copy and call it Backup_ACL and put it on the Backup interface?
If something doesn't make sense, ill try and clarify it better. But does everything look ok? I want to be prepared so when the 8th comes, I'll have everything ready and it should go smoothly.
I know this is alot, and I hope someone could shed some light on this for me. Thanks.
Drawing1.jpg
Your plan looks OK. you just need to duplicate your all static NAT to backup interface and duplicate access list on outside interface to backup interface. you also need to play trick mentioned on above link.
ASKER
Thanks. The sla monitoring part I do understand. I'm just really worried about the ACL's and the static translations. Now on the static translations, so in the example I gave the static route:
static (Inside,Outside) 1.1.1.50 192.168.1.50 netmask 255.255.255.255
Would i then need?
static (Inside,Backup) 1.1.1.50 192.168.1.50 netmask 255.255.255.255
But I'm confused, if the 1.1.1.50 is on the Outside's subnet (0-127), how would this work with the Backup interface being on the 128-255 subnet? How would it work on the ACL commands as well? Or would it not matter?
static (Inside,Outside) 1.1.1.50 192.168.1.50 netmask 255.255.255.255
Would i then need?
static (Inside,Backup) 1.1.1.50 192.168.1.50 netmask 255.255.255.255
But I'm confused, if the 1.1.1.50 is on the Outside's subnet (0-127), how would this work with the Backup interface being on the 128-255 subnet? How would it work on the ACL commands as well? Or would it not matter?
Wat you need are route statements for each of the interfaces defining which traffic to send where. Those tell traffic where to go - statics are just static NAT translations.
Here is the reference on how to implement the route command.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/qr.html#wp1767323
Regarding ACLs, create ones allowing which traffic you want and then blocking the traffic you don't want. Assign them to the in direction of the interfaces going to the routers. This will filter everything coming in from outside. If you want both interfaces to have the same access-list, just use the access-group command for each interface. Here's the access-group reference.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1539044
Let me know if you have any questions!
Here is the reference on how to implement the route command.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/qr.html#wp1767323
Regarding ACLs, create ones allowing which traffic you want and then blocking the traffic you don't want. Assign them to the in direction of the interfaces going to the routers. This will filter everything coming in from outside. If you want both interfaces to have the same access-list, just use the access-group command for each interface. Here's the access-group reference.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1539044
Let me know if you have any questions!
Also, regarding statics, you will need to assign multiple IPs whichever servers you are opening to the outside. With ASAs you can only assign 1 static to one end IP, no matter how many sources.
VRRP ( http://www.cisco.com/en/US/docs/ios/12_0st/12_0st18/feature/guide/st_vrrpx.html ) or a routing protocol (like EIGRP) communicating with the ASA may be a better fit here because you potentially would be able to use the same outside interface for the ASA, avoid NAT issues, and I think would handle more complex failures better.
I notice you have 2 internet circuit which is running BGP. they come from same SP? if they are from 2 SP, I guest you will get 2 IP blocks for your servers, then you will use different public IP addresses when failover occure.
ASKER
So i want to make sure i understand the 2 options i have
1. SLA monitoring. I have 50 static routes that maps an outside ip address to an internal one for our web servers, mail servesr, terminal servers, etc... I would have to give all 50 of those devices a 2nd ip address. And create 50 additional static routes for the Backup for those ip's. And create another acl with all the new secondary ip addresses for the backup interface?
2. VRRP - I'm assuming i would have to install a switch between the 2 wan routers and the asa, since i wouldn't be able to terminate both into the asa because of their would be 2 interfaces in the same subnet. Which is pretty much how its setup now, minus the vrrp side of things.
1. SLA monitoring. I have 50 static routes that maps an outside ip address to an internal one for our web servers, mail servesr, terminal servers, etc... I would have to give all 50 of those devices a 2nd ip address. And create 50 additional static routes for the Backup for those ip's. And create another acl with all the new secondary ip addresses for the backup interface?
2. VRRP - I'm assuming i would have to install a switch between the 2 wan routers and the asa, since i wouldn't be able to terminate both into the asa because of their would be 2 interfaces in the same subnet. Which is pretty much how its setup now, minus the vrrp side of things.
ASKER
leibinusa:
I was typing my last one up when i submitted it i then saw yours. here is how we have it setup
Qwest is giving us 3 bonded t1's with the ip of 216.111.x.x
MCI is giving us 1 t1 with an ip of 157.130.x.x
Those 2 wan routers are running bgp with a network of 216.207.x.x
Off each of the wan routers, they run into the 5 port netgear swtich are 216.207.x.x and then into the asa. Which are the main outside ip addresses that all our servers and network gear have, and every knows us by.
I was typing my last one up when i submitted it i then saw yours. here is how we have it setup
Qwest is giving us 3 bonded t1's with the ip of 216.111.x.x
MCI is giving us 1 t1 with an ip of 157.130.x.x
Those 2 wan routers are running bgp with a network of 216.207.x.x
Off each of the wan routers, they run into the 5 port netgear swtich are 216.207.x.x and then into the asa. Which are the main outside ip addresses that all our servers and network gear have, and every knows us by.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
All of our static routes are in the 216.207.x.x range. If the Outside interface has a subnet of 216.207.x.2 /25, and i give the Backup interface 216.207.x.130 /25. If all the servers are between 216.207.x.10 and .60 how would they get out if the Outside interface, or the main wan router with 3t1's goes down, since the Backup interface would have a .130 /25 interface, which is a different subnet.
What I mean is you do not need backup interface on ASA. just let router handle the failover.
If you really want failover on ASA, give Outside IP address like 2.2.2.1/30, Backup IP address like 3.3.3.1/30. their IP addresses do not need to come from 216.207.X.X, because they are only local between ASA and WAN routers. they are not needed to be seen from anywhere.
If you really want failover on ASA, give Outside IP address like 2.2.2.1/30, Backup IP address like 3.3.3.1/30. their IP addresses do not need to come from 216.207.X.X, because they are only local between ASA and WAN routers. they are not needed to be seen from anywhere.
ASKER
So i wouldn't be getting rid of that 5 port switch then? The outside ip address on the asa is what all our vpn traffic is destined for, so i can't change that.
I think what you mean by static routes are actually static NAT translations that are bound to the corresponding public IP addresses.
Also, with letting the router handle failover via HSRP, ngaba made it clear that the two routers are from two different ISPs, so, unless you actually want to create multiple WAN interfaces on each router and have two ISP input lines from each ISP to run into each router this is a null point. That's not very economical. I've setup many sites with ASAs with multiple edge routers for ISP backup or LB.
If you want redundant internet communication for the servers, you will need a third party IP tracking and DNS failover service to switch IPs that are available in the DNS round robin pools when selecting the destination IP address.
If you chose not to go the route above, you don't have many options if we're talking about providing globally accessible services to either the public or employees over the internet.
If you want real failover and true load balancing within each router, you will need to handle all firewall/inspection on the routers themselves, or b) get another ASA and set them up independent of each other running similar access-lists/configs but dedicated to each router. You can then connect them to separate VLANs on a core layer 3 switch and the switch will do the routing to internal resources.
Just a few suggestions. Please let me know if you have any questions.
Also, with letting the router handle failover via HSRP, ngaba made it clear that the two routers are from two different ISPs, so, unless you actually want to create multiple WAN interfaces on each router and have two ISP input lines from each ISP to run into each router this is a null point. That's not very economical. I've setup many sites with ASAs with multiple edge routers for ISP backup or LB.
If you want redundant internet communication for the servers, you will need a third party IP tracking and DNS failover service to switch IPs that are available in the DNS round robin pools when selecting the destination IP address.
If you chose not to go the route above, you don't have many options if we're talking about providing globally accessible services to either the public or employees over the internet.
If you want real failover and true load balancing within each router, you will need to handle all firewall/inspection on the routers themselves, or b) get another ASA and set them up independent of each other running similar access-lists/configs but dedicated to each router. You can then connect them to separate VLANs on a core layer 3 switch and the switch will do the routing to internal resources.
Just a few suggestions. Please let me know if you have any questions.
The WAN routers are connecting to 2 different SPs, but only one public IP block (216.207.x.x/24). The 2 WAN routers are advertising the same network 216.207.X.X/24 to Internet via BGP. HSRP will handle T1 failure and inside ethernet failure on WAN routers. you will need combine HSRP and IP SLA.
That's unusual... I guess he owns the IPs!
So, do you actually have control of the routers or are those controlled by the ISP?
So, do you actually have control of the routers or are those controlled by the ISP?
ASKER
No we control the wan routers. Yea i thought it was kind of odd. So our 2 wan routers outside ip's are different (216.111.x.x and 157.130.x.x), and the wan routers inside ip address are the ip's that everyone uses (216.207.x.x). So if our main wan router that has the 3 t1's goes down, the other one will pick up and it has the same ip address. It does have hsrp on it so it has a virtual ip address that it uses if router A goes down.
But looking at the show interfaces on the multilink on the router A and the serial interface on router B, they are both routing the internet traffic, based on the counters. So we are actually using all 6 mbps instead of the 4.5 as the main and 1.5 as the backup.
pack counts:
mutlilink (3 t1) - 212305681in and 405356647 out
serial (t1) - 177190202 in and 900159 out.
But looking at the show interfaces on the multilink on the router A and the serial interface on router B, they are both routing the internet traffic, based on the counters. So we are actually using all 6 mbps instead of the 4.5 as the main and 1.5 as the backup.
pack counts:
mutlilink (3 t1) - 212305681in and 405356647 out
serial (t1) - 177190202 in and 900159 out.
multlink 3t1is the active HSRP router. serial t1 is the backup. the 900159 out maybe just BGP traffic or icmp.
That sounds about right. Just one question though... If the subnet 216.207.x.x exists behind BOTH of those routers, then how does traffic know where to go? The whole way the internet works is based on there only being ONE destination to a subnet.
ASKER
I honestly dont know, i just took over the network admin job last month. i'll attach the 2 wan router configs so you can see whats going on.
WANRT01 is the wan router that has the bonded 3 t1's
WANRT02 is the wan router with a single t1.
wanrt02.txt
wanrt01.txt
WANRT01 is the wan router that has the bonded 3 t1's
WANRT02 is the wan router with a single t1.
wanrt02.txt
wanrt01.txt
>"The whole way the internet works is based on there only being ONE destination to a subnet."
gosh I wish that were so sometimes.
He is exchanging BGP with more than one provider, each has the potential to use his connection as the best route to his subnet(s).
gosh I wish that were so sometimes.
He is exchanging BGP with more than one provider, each has the potential to use his connection as the best route to his subnet(s).
Oh, woops! I guess I missed the BGP routing part. :-/ True then for sure... I suppose it just matters which route has the lowest BGP metric... hmmm.
Then yeah, HSRP is really the only solution here... ALSO - one thing to note - don't remember if I said it before. ASA's CANNOT have more than one upstream route active at any one time. In other words, even though the line the 1.1.1.130 sourced route is on might be "active", the ASA CANNOT use two concurrent routes to the internet. One is primary and the ONLY time the backup route comes up is if the primary tracked interface goes down. This is how wonderful Cisco's crappy licensing has gotten lately. This and the new CallManager licenses. Just crazy. So, unless you figure out how to setup HSRP, we will need a 2nd ASA.
Then yeah, HSRP is really the only solution here... ALSO - one thing to note - don't remember if I said it before. ASA's CANNOT have more than one upstream route active at any one time. In other words, even though the line the 1.1.1.130 sourced route is on might be "active", the ASA CANNOT use two concurrent routes to the internet. One is primary and the ONLY time the backup route comes up is if the primary tracked interface goes down. This is how wonderful Cisco's crappy licensing has gotten lately. This and the new CallManager licenses. Just crazy. So, unless you figure out how to setup HSRP, we will need a 2nd ASA.
ASKER
So then I should just leave it the way it is, continue to run HSRP on the 2 wan routers and have that go into a switch and then into the ASA?
Well, if you currently are not having any issues and can't afford either another ASA or a consulting company to get the HSRP setup, depending on how comfortable you feel with potentially taking the network down for a while to do it, I'd say leave it as it is.
Of course though, if it's causing you problems then I would definitely look into getting it figured out.
One thing you might want to do though is get a better edge switch like maybe a Cisco 2960. Anything is better than a little Netgear sitting in there. Any problem with that would take you completely offline. They're just not designed to work in a mission critical role. :-) I've personally used edge switches in situations such as this when it's not economical to double everything up (since an ASA can only have ONE active incoming line at a time (that counts as outside anyways)).
Cheers!
Of course though, if it's causing you problems then I would definitely look into getting it figured out.
One thing you might want to do though is get a better edge switch like maybe a Cisco 2960. Anything is better than a little Netgear sitting in there. Any problem with that would take you completely offline. They're just not designed to work in a mission critical role. :-) I've personally used edge switches in situations such as this when it's not economical to double everything up (since an ASA can only have ONE active incoming line at a time (that counts as outside anyways)).
Cheers!
ASKER
Well we do have a spare ASA5510 sitting here. But i'll have to get a HWIC-1FE to put into my main router so I have an additional ethernet port since the other 2 are used. So once I do that, ill setup VRRP or HSRP on the main router and that will be my redundancy. Correct?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
leben... you said this works with MPLS and and VPN? that's exactly what I have to do... with two VPNs works too???
sla monitor
command! Here is a Cisco document describing how it works and how to implement it. It's not the primary focus of the article, but it is one of the first things in there.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Let me know if you have any questions!
Cheers!