Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Troubleshooting
Research
Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

IP SLA monitoring on ASA

Avatar of ngaba
ngabaFlag for United States of America asked on
RoutersHardware Firewalls
27 Comments1 Solution3526 ViewsLast Modified:
On Feb 8th, we are doing our monthly maintenance. Our outside setup is done poorly and I'm going to be redoing it with ip sla failover.

Currently we have 3 bonded t1's going into a 2811, and a backup t1 terminating into a different 2811. From each of their interfaces it goes into a 5 port netgear switch, and then that goes into the ASA. My goal is to get rid of the 5 port switch and terminate each 2811's into 2 interfaces on the ASA and set it up for IP SLA monitoring failover. Each router has their own outside ip address, but we dont use them. We have a different set of outside's that we use, so if either router goes down they have the same ip to still work.

I attached a drawing of it so if my explanation below doesn't make sense.

Router A has its T1's ip as 2.2.2.2, and its ethernet's address going to the switch is 1.1.1.1 /24
Router B has its T1's ip as 3.3.3.3, and its ethernet's address going to the switch is 1.1.1.2 /24
The interface on the ASA has 1.1.1.4 /24

Everything that we do relies on the 1.1.1.0 /24 subnet. Its our outside ip address that everyone uses.

I know i'll have to change the ip's around a little since the asa will have 2 ports terminating 2 WAN links that have the same subnet. So the next step would be

Router A has 1.1.1.1 /25
Router B has 1.1.1.129 /25 (this is the backup)
ASA port A has 1.1.1.2 /25
ASA port B has 1.1.1.130 /25 (this is the backup)

I've read and wrote down everything for the 8th. I have all the commands setup so i can just move the cables and copy the config.  But i do have a few questions concerning the backup. We use alot of static routes to go Outside to Inside and Outside to DMZ (those are the interface names). We have about 50 static routes, and our 2 main ACL's (Outside_ACL and DMZ_ACL) equal around 300 lines.

For all the static routes that we have configured, like for example,
static (Inside,Outside) 1.1.1.50 192.168.1.50 netmask 255.255.255.255
When the Outside interface goes down, how would the ASA know that data coming to 1.1.1.50 is suppose to go to 192.168.1.50 on the inside? Would I have to create a duplicate static route and just change Outside to Backup?

Also, would I have to copy the Outside_ACL and make the same copy and call it Backup_ACL and put it on the Backup interface?

If something doesn't make sense, ill try and clarify it better. But does everything look ok? I want to be prepared so when the 8th comes, I'll have everything ready and it should go smoothly.

I know this is alot, and I hope someone could shed some light on this for me. Thanks.
Drawing1.jpg
ASKER CERTIFIED SOLUTION
Avatar of leibinusa
leibinusaFlag of United States of America image

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Commented:
This problem has been solved!
Unlock 1 Answer and 27 Comments.
See Answers