Dual ISP Configuration for ASA
redwarrior
Member Posts: 285
We have an ASA 5505 that we want to configure for Dual ISP so that if one goes down, we automatically fail over to the secondary. The problem is, our primary ISP for this site is a Comcast cable modem (yeah, I know) and Comcast has been less than helpful in providing a target IP for us to verify connectivity with. According to them, their entire network is either accessible by everyone, including customers of other ISP's or it is completely private and we can't ping it from anywhere.
So...here's my idea, which I was hoping to bounce off of a few more experienced heads here:
I plan on choosing a server in our DMZ that this location would never need to access, but that has a public IP. Next, on our side, I would create an ACL that would block ICMP to that server's public IP from the IP address of the secondary location. Then, I would make a deny statement in the interesting traffic list at that location for that server's public IP just so I could be certain that any traffic coming from that location to that server would be sent out the internet side of the split-tunnel VPN and carry the outside IP of the location rather than a private IP over our VPN tunnel. Finally, I'd use that server's IP address as our target so that any pings to determine connectivity would only be coming from the Comcast connection and not our backup connection. Does this sound good? I'm mainly asking because it's going to cause some administrative and configuration wrangling and I want to make sure I'm not making this harder than it is.
Essentially, what we're afraid of is that if we use our gateway from Comcast as our target, since it is pingable from our secondary connection, the ASA would not see the connection as down and would keep trying to revert back to it, essentially going back and forth constantly.
Many thanks!
So...here's my idea, which I was hoping to bounce off of a few more experienced heads here:
I plan on choosing a server in our DMZ that this location would never need to access, but that has a public IP. Next, on our side, I would create an ACL that would block ICMP to that server's public IP from the IP address of the secondary location. Then, I would make a deny statement in the interesting traffic list at that location for that server's public IP just so I could be certain that any traffic coming from that location to that server would be sent out the internet side of the split-tunnel VPN and carry the outside IP of the location rather than a private IP over our VPN tunnel. Finally, I'd use that server's IP address as our target so that any pings to determine connectivity would only be coming from the Comcast connection and not our backup connection. Does this sound good? I'm mainly asking because it's going to cause some administrative and configuration wrangling and I want to make sure I'm not making this harder than it is.
Essentially, what we're afraid of is that if we use our gateway from Comcast as our target, since it is pingable from our secondary connection, the ASA would not see the connection as down and would keep trying to revert back to it, essentially going back and forth constantly.
Many thanks!
CCNP Progress
ONT, ISCW, BCMSN - DONE
BSCI - In Progress
http://www.redwarriornet.com/ <--My Cisco Blog