博威---云架构决胜云计算

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 2048|回复: 5

ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example

[复制链接]
发表于 2007-9-4 06:51:01 | 显示全部楼层 |阅读模式
ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example
Downloads
ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example
Document ID: 70559
Contents
Introduction
Prerequisites
      Requirements
      Components Used
      Related Products
      Conventions
Background Information
Configure
      Network Diagram
      Configurations
      CLI Configuration
      ASDM Configuration
Verify
      Confirm the Configuration is Complete
      Confirm the Backup Route is Installed (CLI Method)
      Confirm the Backup Route is Installed (ASDM Method)
Troubleshoot
      Debug Commands
      Tracked Route is Removed Unnecessarily
NetPro Discussion Forums - Featured Conversations
Related Information
Introduction A problem with static routes is that no inherent mechanism exists to determine if the route is up or down. The route remains in the routing table even if the next hop gateway becomes unavailable. Static routes are removed from the routing table only if the associated interface on the security appliance goes down. In order to solve this problem, a static route tracking feature is used to track the availability of a static route and, if that route fails, remove it from the routing table and replace it with a backup route.
This document provides an example of how to use the static route tracking feature on the PIX 500 Series Security Appliance or the ASA 5500 Series Adaptive Security Appliance in order to enable the device to use redundant or backup Internet connections. In this example, static route tracking allows the security appliance to use an inexpensive connection to a secondary Internet service provider (ISP) in the event that the primary leased line becomes unavailable.
In order to achieve this redundancy, the security appliance associates a static route with a monitoring target that you define. The service level agreement (SLA) operation monitors the target with periodic Internet Control Message Protocol (ICMP) echo requests. If an echo reply is not received, the object is considered down, and the associated route is removed from the routing table. A previously configured backup route is used in place of the route that is removed. While the backup route is in use, the SLA monitor operation continues to try to reach the monitoring target. Once the target is available again, the first route is replaced in the routing table, and the backup route is removed.
Note: The configuration described in this document can not be used for load balancing or load sharing. Use this configuration for redundancy or backup purposes only. Outgoing traffic uses the primary ISP and then the secondary ISP, if the primary fails. Failure of the primary ISP causes a temporary disruption of traffic.
Prerequisites Requirements Select a monitoring target that can respond to ICMP echo requests. The target can be any network object that you choose, but a target that is closely tied to your ISP connection is recommended. Some possible monitoring targets include:
  • The ISP gateway address
  • Another ISP-managed address
  • A server on another network, such as a AAA server, with which the security appliance needs to communicate
  • A persistent network object on another network (a desktop or notebook computer that you can shut down at night is not a good choice)
This document assumes that the security appliance is fully operational and configured to allow the Cisco ASDM to make configuration changes.
Note: For information about how to allow the ASDM to configure the device, refer to Allowing HTTPS Access for ASDM.
Components Used The information in this document is based on these software and hardware versions:
  • Cisco PIX Security Appliance 515E with software version 7.2(1) or later
  • Cisco Adaptive Security Device Manager 5.2(1) or later
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Related Products You can also use this configuration with the Cisco ASA 5500 Series Security Appliance version 7.2(1).
Note: The backup interface command is required to configure the fourth interface on the ASA 5505. For more information, see backup interface.
Conventions For more information about document conventions, refer to the Cisco Technical Tips Conventions.
Background Information In this example, the security appliance maintains two connections to the Internet. The first connection is a high speed leased line that is accessed through a router provided by the primary ISP. The second connection is a lower speed digital subscriber line (DSL) line that is accessed through a DSL modem provided by the secondary ISP.
Note: Load balancing does not occur in this example.
The DSL connection is idle as long as the leased line is active and the primary ISP gateway is reachable. However, if the connection to the primary ISP goes down, the security appliance changes the routing table to direct traffic to the DSL connection. Static route tracking is used to achieve this redundancy.
The security appliance is configured with a static route that directs all Internet traffic to the primary ISP. Every 10 seconds the SLA monitor process checks to confirm that the primary ISP gateway is reachable. If the SLA monitor process determines that the primary ISP gateway is not reachable, the static route that directs traffic to that interface is removed from the routing table. In order to replace that static route, an alternate static route that directs traffic to the secondary ISP is installed. This alternate static route directs traffic to the secondary ISP through the DSL modem until the link to the primary ISP is reachable.
This configuration provides a relatively inexpensive way to ensure that outbound Internet access remains available to users behind the security appliance. As described in this document, this setup may not be suitable for inbound access to resources behind the security appliance. Advanced networking skills are required to achieve seamless inbound connections. These skills are not covered in this document.
Configure In this section, you are presented with the information to configure the features described in this document.
Note: The IP addresses used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses which are used in a lab environment.
Network Diagram This document uses this network setup:

Configurations This document uses these configurations:
Note: Use the Command Lookup Tool ([size=-1] registered customers only) to obtain more information on the commands used in this section.
CLI Configuration PIX
pix# show running-config: SavedIX Version 7.2(1)!hostname pixdomain-name default.domain.invalidenable password 9jNfZuG3TC5tCVH0 encryptednames!interface Ethernet0 nameif outside security-level 0 ip address 10.200.159.2 255.255.255.248!interface Ethernet1 nameif backup!--- The interface attached to the Secondary ISP.!--- "backup" was chosen here, but any name can be assigned. security-level 0 ip address 10.250.250.2 255.255.255.248!interface Ethernet2 nameif inside security-level 100 ip address 172.22.1.163 255.255.255.0!interface Ethernet3 shutdown no nameif no security-level no ip address!interface Ethernet4 shutdown no nameif no security-level no ip address!interface Ethernet5 shutdown no nameif no security-level no ip address!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passivedns server-group DefaultDNS domain-name default.domain.invalidpager lines 24logging enablelogging buffered debuggingmtu outside 1500mtu backup 1500mtu inside 1500no failoverasdm image flash:/asdm521.binno asdm history enablearp timeout 14400global (outside) 1 interfaceglobal (backup) 1 interfacenat (inside) 1 172.16.1.0 255.255.255.0!--- NAT Configuration for Outside and Backuproute outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1!--- Enter this command in order to track a static route.!--- This is the static route to be installed in the routing !--- table while the tracked object is reachable.  The value after!--- the keyword "track" is a tracking ID you specify. route backup 0.0.0.0 0.0.0.0 10.250.250.1 254!--- Define the backup route to use when the tracked object is unavailable. !--- The administrative distance of the backup route must be greater than !--- the administrative distance of the tracked route.!--- If the primary gateway is unreachable, that route is removed!--- and the backup route is installed in the routing table!--- instead of the tracked route. timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout uauth 0:05:00 absoluteusername cisco password ffIRPGpDSOJh9YLq encryptedhttp server enablehttp 172.22.1.0 255.255.255.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartsla monitor 123 type echo protocol ipIcmpEcho 10.0.0.1 interface outside num-packets 3 frequency 10!--- Configure a new monitoring process with the ID 123.  Specify the!--- monitoring protocol and the target network object whose availability the tracking!--- process monitors.  Specify the number of packets to be sent with each poll.!--- Specify the rate at which the monitor process repeats (in seconds).sla monitor schedule 123 life forever start-time now!--- Schedule the monitoring process.  In this case the lifetime!--- of the process is specified to be forever.  The process is scheduled to begin!--- at the time this command is entered.  As configured, this command allows the!--- monitoring configuration specified above to determine how often the testing!--- occurs.  However, you can schedule this monitoring process to begin in the!--- future and to only occur at specified times.!track 1 rtr 123 reachability!--- Associate a tracked static route with the SLA monitoring process.!--- The track ID corresponds to the track ID given to the static route to monitor:!--- route outside 0.0.0.0 0.0.0.0 10.0.0.2 1 track 1!--- "rtr" = Response Time Reporter entry.  123 is the ID of the SLA process!--- defined above. telnet timeout 5ssh timeout 5console timeout 0!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum 512policy-map global_policy class inspection_default  inspect dns preset_dns_map  inspect ftp  inspect h323 h225  inspect h323 ras  inspect netbios  inspect rsh  inspect rtsp  inspect skinny  inspect esmtp  inspect sqlnet  inspect sunrpc  inspect tftp  inspect sip  inspect xdmcp!service-policy global_policy globalprompt hostname contextCryptochecksum:a4a0e9be4593ad43bc17a1cc25e32dc2: endASDM Configuration In order to configure redundant or backup ISP support with the ASDM application, complete these steps:
  • In the ASDM application, click Configuration, and then click Interfaces.
  • From the Interfaces list, select Ethernet0, and then click Edit.
    This dialog box appears.
  • Check the Enable Interface check box, and enter values in the Interface Name, Security Level, IP Address, and Subnet Mask fields.
  • Click OK in order to close the dialog box.
  • Configure other interfaces as needed, and click Apply in order to update the security appliance configuration.
  • Click Routing located on the left side of the ASDM application.
  • Click Add in order to add the new static routes.
    This dialog box appears.
  • From the Interface Name drop-down list, choose the interface on which the route resides, and configure the default route to reach the gateway. In this example, 10.0.0.1 is the primary ISP gateway, as well as the object to monitor with ICMP echos.
  • In the Options area, click the Tracked radio button, and enter values in the Track ID, SLA ID, and Track IP Address fields.
  • Click Monitoring Options.
    This dialog box appears.
  • Enter values for frequency and other monitoring options, and click OK.
  • Add another static route for the secondary ISP in order to provide a route to reach the Internet.
    In order to make it a secondary route, configure this route with a higher metric, such as 254. If the primary route (primary ISP) fails, that route is removed from the routing table. This secondary route (secondary ISP) is installed in the PIX routing table instead.
  • Click OK in order to close the dialog box.

    The configurations appear in the Interface list.
  • Select the routing configuration, and click Apply in order to update the security appliance configuration.
Verify Use this section to confirm that your configuration works properly.
Confirm the Configuration is Complete Use these show commands to verify that your configuration is complete.
The Output Interpreter Tool ([size=-1] registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.
  • show running-config sla monitor—Displays the SLA commands in the configuration.
    pix# show running-config sla monitorsla monitor 123 type echo protocol ipIcmpEcho 10.0.0.1 interface outside num-packets 3 frequency 10sla monitor schedule 123 life forever start-time now
  • show sla monitor configuration —Displays the current configuration settings of the operation.
    pix# show sla monitor configuration 123IP SLA Monitor, Infrastructure Engine-II.Entry number: 123Owner:Tag:Type of operation to perform: echoTarget address: 10.0.0.1Interface: outsideNumber of packets: 3Request size (ARR data portion): 28Operation timeout (milliseconds): 5000Type Of Service parameters: 0x0Verify data: NoOperation frequency (seconds): 10Next Scheduled Start Time: Start Time already passedGroup Scheduled : FALSELife (seconds): ForeverEntry Ageout (seconds): neverRecurring (Starting Everyday): FALSEStatus of entry (SNMP RowStatus): ActiveEnhanced History:
  • show sla monitor operational-state—Displays the operational statistics of the SLA operation.
    • Before the primary ISP fails, this is the operational state:
      pix# show sla monitor operational-state 123Entry number: 123Modification time: 13:59:37.824 UTC Thu Oct 12 2006Number of Octets Used by this Entry: 1480Number of operations attempted: 367Number of operations skipped: 0Current seconds left in Life: ForeverOperational state of entry: ActiveLast time this entry was reset: NeverConnection loss occurred: FALSETimeout occurred: FALSEOver thresholds occurred: FALSELatest RTT (milliseconds): 1Latest operation start time: 15:00:37.825 UTC Thu Oct 12 2006Latest operation return code: OKRTT Values:RTTAvg: 1       RTTMin: 1       RTTMax: 1NumOfRTT: 3     RTTSum: 3       RTTSum2: 3
    • After the primary ISP fails (and the ICMP echos time out), this is the operational state:
      pix# show sla monitor operational-stateEntry number: 123Modification time: 13:59:37.825 UTC Thu Oct 12 2006Number of Octets Used by this Entry: 1480Number of operations attempted: 385Number of operations skipped: 0Current seconds left in Life: ForeverOperational state of entry: ActiveLast time this entry was reset: NeverConnection loss occurred: FALSETimeout occurred: TRUEOver thresholds occurred: FALSELatest RTT (milliseconds): NoConnection/Busy/TimeoutLatest operation start time: 15:03:27.825 UTC Thu Oct 12 2006Latest operation return code: TimeoutRTT Values:RTTAvg: 0       RTTMin: 0       RTTMax: 0NumOfRTT: 0     RTTSum: 0       RTTSum2: 0
Confirm the Backup Route is Installed (CLI Method) Use the show route command to determine when the backup route is installed.
  • Before the primary ISP fails, this is the routing table:
    pix# show routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area       * - candidate default, U - per-user static route, o - ODR       P - periodic downloaded static routeGateway of last resort is 10.200.159.1 to network 0.0.0.0S    64.101.0.0 255.255.0.0 [1/0] via 172.22.1.1, insideC    172.22.1.0 255.255.255.0 is directly connected, insideC    10.250.250.0 255.255.255.248 is directly connected, backupC    10.200.159.0 255.255.255.248 is directly connected, outsideS*   0.0.0.0 0.0.0.0 [1/0] via 10.200.159.1, outside
  • After the primary ISP fails, the static route is removed, and the backup route is installed, this is the routing table:
    pix(config)# show routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area       * - candidate default, U - per-user static route, o - ODR       P - periodic downloaded static routeGateway of last resort is 10.250.250.1 to network 0.0.0.0S    64.101.0.0 255.255.0.0 [1/0] via 172.22.1.1, insideC    172.22.1.0 255.255.255.0 is directly connected, insideC    10.250.250.0 255.255.255.248 is directly connected, backupC    10.200.159.0 255.255.255.248 is directly connected, outsideS*   0.0.0.0 0.0.0.0 [254/0] via 10.250.250.1, backup
Confirm the Backup Route is Installed (ASDM Method) In order to confirm with the ASDM that the backup route is installed, complete these steps:
  • Click Monitoring, and then click Routing.
  • From the Routing tree, choose Routes.
    • Before the primary ISP fails, this is the routing table:

      The DEFAULT route points to 10.0.0.2 through the outside interface.
    • After the primary ISP fails, the route is removed, and the backup route is installed. The DEFAULT route now points to 192.168.1.2 through the backup interface.

Troubleshoot Debug Commands
  • debug sla monitor trace—Displays progress of the echo operation.
    • The tracked object (primary ISP gateway) is up, and ICMP echos succeed.
      IP SLA Monitor(123) Scheduler: Starting an operationIP SLA Monitor(123) echo operation: Sending an echo operationIP SLA Monitor(123) echo operation: RTT=3 OKIP SLA Monitor(123) echo operation: RTT=3 OKIP SLA Monitor(123) echo operation: RTT=4 OKIP SLA Monitor(123) Scheduler: Updating result
    • The tracked object (primary ISP gateway) is down, and ICMP echos fail.
      IP SLA Monitor(123) Scheduler: Starting an operationIP SLA Monitor(123) echo operation: Sending an echo operationIP SLA Monitor(123) echo operation: TimeoutIP SLA Monitor(123) echo operation: TimeoutIP SLA Monitor(123) echo operation: TimeoutIP SLA Monitor(123) Scheduler: Updating result
  • debug sla monitor error—Displays errors that the SLA monitor process encounters.
    • The tracked object (primary ISP gateway) is up, and ICMP succeeds.
      %PIX-7-609001: Built local-host NP Identity Ifc:10.200.159.2%PIX-7-609001: Built local-host outside:10.0.0.1%PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/52696 laddr 10.200.159.2/52696%PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/52696 laddr 10.200.159.2/52696%PIX-7-609002: Teardown local-host NP Identity Ifc:10.200.159.2 duration 0:00:00%PIX-7-609002: Teardown local-host outside:10.0.0.1 duration 0:00:00%PIX-7-609001: Built local-host NP Identity Ifc:10.200.159.2%PIX-7-609001: Built local-host outside:10.0.0.1%PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/52697 laddr 10.200.159.2/52697%PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/52697 laddr 10.200.159.2/52697%PIX-7-609002: Teardown local-host NP Identity Ifc:10.200.159.2 duration 0:00:00%PIX-7-609002: Teardown local-host outside:10.0.0.1 duration 0:00:00
    • The tracked object (primary ISP gateway) is down, and the tracked route is removed.
      %PIX-7-609001: Built local-host NP Identity Ifc:10.200.159.2%PIX-7-609001: Built local-host outside:10.0.0.1%PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6405 laddr 10.200.159.2/6405%PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6406 laddr 10.200.159.2/6406%PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6407 laddr 10.200.159.2/6407%PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6405 laddr 10.200.159.2/6405%PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6406 laddr 10.200.159.2/6406%PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6407 laddr 10.200.159.2/6407%PIX-7-609002: Teardown local-host NP Identity Ifc:10.200.159.2 duration 0:00:02%PIX-7-609002: Teardown local-host outside:10.0.0.1 duration 0:00:02%PIX-6-622001: Removing tracked route 0.0.0.0 0.0.0.0 10.200.159.1, distance 1, table Default-IP-Routing-Table, on interface outside!--- 10.0.0.1 is unreachable, so the route to the Primary ISP is removed.
Tracked Route is Removed Unnecessarily If the tracked route is removed unnecessarily, ensure that your monitoring target is always available to receive echo requests. In addition, ensure that the state of your monitoring target (that is, whether or not the target is reachable) is closely tied to the state of the primary ISP connection.
If you choose a monitoring target that is farther away than the ISP gateway, another link along that route may fail or another device may interfere. This configuration may cause the SLA monitor to conclude that the connection to the primary ISP has failed and cause the security appliance to unnecessarily fail over to the secondary ISP link.
For example, if you choose a branch office router as your monitoring target, the ISP connection to your branch office could fail, as well as any other link along the way. Once the ICMP echos that are sent by the monitoring operation fail, the primary tracked route is removed, even though the primary ISP link is still active.
In this example, the primary ISP gateway that is used as the monitoring target is managed by the ISP and is located on the other side of the ISP link. This configuration ensures that if the ICMP echos that are sent by the monitoring operation fail, the ISP link is almost surely down.
NetPro Discussion Forums - Featured Conversations Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.
NetPro Discussion Forums - Featured Conversations for Security
Security: Intrusion Detection [Systems]
URL for Local NSDB on Cisco Security Manager 3.1 - Sep 3, 2007
SecMon 2.2 not showing ASA syslog events - Sep 3, 2007
User accounting in IPS - Sep 3, 2007
IOS firewall dropping packets - Sep 2, 2007
MARS - events per second - Sep 1, 2007
Security: AAA
Problem of two self AAA servers listed on one NDG in ACS3.3 Appliance - Sep 3, 2007
failed to privilege mode when authenticated by radius server - Sep 3, 2007
multiple mac and ip-adresses on ACS appliance - Sep 3, 2007
TACACS login problem on ACS 4.0 - Sep 3, 2007
Bypassing Windows Remote Dial-in configuration - Sep 3, 2007
Security: General
CISCO SDM - Sep 3, 2007
multiple mac and ip-adresses on ACS appliance ? - Sep 3, 2007
Capture Traffic - URGENT - Sep 2, 2007
ASA Routing - Sep 1, 2007
Fails to Recognize Symantec Update - Aug 31, 2007
Security: Firewalling
IPSEC ASA 8.0(2) - Sep 3, 2007
Basic 501 Pix Setup - Sep 3, 2007
cant https or telnet to my PIX506E anymore - Sep 3, 2007
ASA ASDm - Sep 3, 2007
Simple 506e - Sep 3, 2007


 楼主| 发表于 2007-9-4 06:51:42 | 显示全部楼层
 楼主| 发表于 2007-9-4 06:52:42 | 显示全部楼层
 楼主| 发表于 2007-9-4 06:53:02 | 显示全部楼层
 楼主| 发表于 2007-9-4 06:53:15 | 显示全部楼层
 楼主| 发表于 2007-10-5 04:16:25 | 显示全部楼层
ASA/PIX 配置双ISP 出口, 主备线路 实例配置


http://www.cisco.com/en/US/produ ... 86a00806e880b.shtml
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|boway Inc. ( 冀ICP备10011147号 )

GMT+8, 2024-11-24 04:03 , Processed in 0.529205 second(s), 17 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表