A problem with static routes is that no inherent mechanism exists to determine if the route is up or down. The route remains in the routing table even if the next hop gateway becomes unavailable. Static routes are removed from the routing table only if the associated interface on the security appliance goes down. In order to solve this problem, a static route tracking feature is used to track the availability of a static route and, if that route fails, remove it from the routing table and replace it with a backup route.
This document provides an example of how to use the static route tracking feature on the PIX 500 Series Security Appliance or the ASA 5500 Series Adaptive Security Appliance in order to enable the device to use redundant or backup Internet connections. In this example, static route tracking allows the security appliance to use an inexpensive connection to a secondary Internet service provider (ISP) in the event that the primary leased line becomes unavailable.
In order to achieve this redundancy, the security appliance associates a static route with a monitoring target that you define. The service level agreement (SLA) operation monitors the target with periodic Internet Control Message Protocol (ICMP) echo requests. If an echo reply is not received, the object is considered down, and the associated route is removed from the routing table. A previously configured backup route is used in place of the route that is removed. While the backup route is in use, the SLA monitor operation continues to try to reach the monitoring target. Once the target is available again, the first route is replaced in the routing table, and the backup route is removed.
Note: The configuration described in this document can not be used for load balancing or load sharing as it is not supported on ASA/PIX . Use this configuration for redundancy or backup purposes only. Outgoing traffic uses the primary ISP and then the secondary ISP, if the primary fails. Failure of the primary ISP causes a temporary disruption of traffic.
Prerequisites
Requirements
Choose a monitoring target that can respond to ICMP echo requests. The target can be any network object that you choose, but a target that is closely tied to your ISP connection is recommended. Some possible monitoring targets include:- The ISP gateway address
- Another ISP-managed address
- A server on another network, such as a AAA server, with which the security appliance needs to communicate
- A persistent network object on another network (a desktop or notebook computer that you can shut down at night is not a good choice)
Note: For information about how to allow the ASDM to configure the device, refer to Allowing HTTPS Access for ASDM.
Components Used
The information in this document is based on these software and hardware versions:- Cisco PIX Security Appliance 515E with software version 7.2(1) or later
- Cisco Adaptive Security Device Manager 5.2(1) or later
Related Products
You can also use this configuration with the Cisco ASA 5500 Series Security Appliance version 7.2(1).Note: The backup interface command is required to configure the fourth interface on the ASA 5505. Refer to backup interface for more information.
Conventions
For more information about document conventions, refer to the Cisco Technical Tips Conventions.Background Information
In this example, the security appliance maintains two connections to the Internet. The first connection is a high speed leased line that is accessed through a router provided by the primary ISP. The second connection is a lower speed digital subscriber line (DSL) line that is accessed through a DSL modem provided by the secondary ISP.Note: Load balancing does not occur in this example.
The DSL connection is idle as long as the leased line is active and the primary ISP gateway is reachable. However, if the connection to the primary ISP goes down, the security appliance changes the routing table to direct traffic to the DSL connection. Static route tracking is used to achieve this redundancy.
The security appliance is configured with a static route that directs all Internet traffic to the primary ISP. Every 10 seconds the SLA monitor process checks to confirm that the primary ISP gateway is reachable. If the SLA monitor process determines that the primary ISP gateway is not reachable, the static route that directs traffic to that interface is removed from the routing table. In order to replace that static route, an alternate static route that directs traffic to the secondary ISP is installed. This alternate static route directs traffic to the secondary ISP through the DSL modem until the link to the primary ISP is reachable.
This configuration provides a relatively inexpensive way to ensure that outbound Internet access remains available to users behind the security appliance. As described in this document, this setup may not be suitable for inbound access to resources behind the security appliance. Advanced networking skills are required to achieve seamless inbound connections. These skills are not covered in this document.
Configure
In this section, you are presented with the information to configure the features described in this document.Note: The IP addresses used in this configuration are not legally routable on the Internet. They are RFC 1918
addresses which are used in a lab environment.Network Diagram
This document uses this network setup:
Configurations
This document uses these configurations:Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.
CLI Configuration
| PIX |
|---|
pix# show running-config
: Saved
:
PIX Version 7.2(1)
!
hostname pix
domain-name default.domain.invalid
enable password 9jNfZuG3TC5tCVH0 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.200.159.2 255.255.255.248
!
interface Ethernet1
nameif backup
!--- The interface attached to the Secondary ISP.
!--- "backup" was chosen here, but any name can be assigned.
security-level 0
ip address 10.250.250.2 255.255.255.248
!
interface Ethernet2
nameif inside
security-level 100
ip address 172.22.1.163 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu backup 1500
mtu inside 1500
no failover
asdm image flash:/asdm521.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0
!--- NAT Configuration for Outside and Backup
route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1
!--- Enter this command in order to track a static route.
!--- This is the static route to be installed in the routing
!--- table while the tracked object is reachable. The value after
!--- the keyword "track" is a tracking ID you specify.
route backup 0.0.0.0 0.0.0.0 10.250.250.1 254
!--- Define the backup route to use when the tracked object is unavailable.
!--- The administrative distance of the backup route must be greater than
!--- the administrative distance of the tracked route.
!--- If the primary gateway is unreachable, that route is removed
!--- and the backup route is installed in the routing table
!--- instead of the tracked route.
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username cisco password ffIRPGpDSOJh9YLq encrypted
http server enable
http 172.22.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
num-packets 3
frequency 10
!--- Configure a new monitoring process with the ID 123. Specify the
!--- monitoring protocol and the target network object whose availability the tracking
!--- process monitors. Specify the number of packets to be sent with each poll.
!--- Specify the rate at which the monitor process repeats (in seconds).
sla monitor schedule 123 life forever start-time now
!--- Schedule the monitoring process. In this case the lifetime
!--- of the process is specified to be forever. The process is scheduled to begin
!--- at the time this command is entered. As configured, this command allows the
!--- monitoring configuration specified above to determine how often the testing
!--- occurs. However, you can schedule this monitoring process to begin in the
!--- future and to only occur at specified times.
!
track 1 rtr 123 reachability
!--- Associate a tracked static route with the SLA monitoring process.
!--- The track ID corresponds to the track ID given to the static route to monitor:
!--- route outside 0.0.0.0 0.0.0.0 10.0.0.2 1 track 1
!--- "rtr" = Response Time Reporter entry. 123 is the ID of the SLA process
!--- defined above.
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a4a0e9be4593ad43bc17a1cc25e32dc2
: end
|
No comments:
Post a Comment