See this link here for an explanation of this behavior: Depending on which ASA version you are using, the NAT rule can take precedence over the route-lookup and the NAT therefore will determine which will be the egress interface for a packet to go out. OK the issue with NAT and route lookup it’s kind of messed up (even for Cisco).
Is this something that can be achieved via a 5500 series ASA? I’m working with a 5510 with the Security Plus licensing – but would upgrade my licensing if that is what it would take! I’ve seen multiple examples of active/active or active/standby configurations, but like you can see, I’m hoping that the ASA can do some thing different from that! My Cisco training has not gotten into ASA configuration yet, and i’m just feeling my way through it right now. Unlike wilson’s post, I just want to route all my traffic from LAN 1 to ISP 1, and all traffic from LAN 2 to ISP 2. The difference is I want only internet traffic to go our over the second interface. “If i have two isp’s and want to utilized both with the 5500 but not for load – balancing or backup.Īll the internal ip are statically set and i would like to have some machine utilize WAN1 and some Looking for a slightly different configuration from this earlier post – Fire up VPN connection and it work, and then I shut down primary-isp interface, try connecting again this time vpn client is connected to backup-isp ip address :-)
On client side I click Backup Servers Tab and add the ip address of backup-isp. With the issue above I talk to myself what happened if primary isp is go down remote vpn will not working, I decide to add backup-isp to the dynamic crypto map to a static crypto mapĬrypto map outside_map interface primary-ispĬrypto map outside_map interface backup-ispĬreate a phase 1 isakmp policy for the remote vpn clients
It is my fault :-( when I configure the tracking mechanism I can ping the outside interface from the outside, so I added “icmp deny any echo outside” :-# after removed “no icmp deny any echo outside” everything work as expectedīTW: asa version I am using is 8.2(2) I read your post not to rush to update to 8.3 that’s why I stay on 8.2 However here what I can try by reading from Andrea books and your post to see if it works.ĪSA(config)# global (outside) 1 interfaceĪSA(config)# nat (inside) 1 0.0.0.0 0.0.0.0ĪSA(config-sla-monitor)# type echo protocol ipIcmpEcho 100.1.1.1 interface outsideĪSA(config)# sla monitor schedule 100 life forever start-time nowĪSA(config)# track 10 rtr 100 reachabilityĪSA(config)# route outside 0.0.0.0 0.0.0.0 100.1.1.1 1 track 10ĪSA(config)# route backup 0.0.0.0 0.0.0.0 interface 0/1 254 Beside of Comcast and Qwest I have no other ISP service in my home area. Qwest is my DSL line provided me a block of 5 useable addresses.
I am newbie of Cisco giant network gear :-)īlog Admin my 2nd ISP is from Comcast and it not offered me static IP address :-(.
I bought this EBooks last night and it helps me to understand the concept and hand on a lot. First I would like to say thank you for your response, and secondly thanks for the Fundamentals andĬonfiguration Tutorial Bonus wrote by Harris Andrea.