Configuring internet failover on Cisco PIX or ASA running 8.0+

Here is how to do redundant ISP links on Cisco ASA 8.x:


sla monitor 111
type echo protocol ipIcmpEcho interface outside
num-packets 4
frequency 10

sla monitor 112
type echo protocol ipIcmpEcho interface backup
num-packets 4
frequency 10

sla monitor schedule 111 life forever start-time now
sla monitor schedule 112 life forever start-time now

track 1 rtr 111 reachability
track 2 rtr 112 reachability

route outside 0.0.0.0 0.0.0.0 1 track 1
route outside 0.0.0.0 0.0.0.0 10 track 2

Example NAT configuration:

global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Configuring internet failover on a Cisco 2800 series router

This is, in my opinion, the best way to do a failover configuration for 2 ISP links:

track 100 ip sla 100 reachability
delay down 10 up 20

track 101 ip sla 101 reachability
delay down 10 up 20

ip local policy route-map LocalPolicy

ip nat inside source route-map DYN_NAT interface <WAN1 Interface> overload
ip nat inside source route-map FAILOVER_NAT interface <WAN2 Interface> overload

ip route 0.0.0.0 0.0.0.0 <ISP1 Gateway> track 100
ip route 0.0.0.0 0.0.0.0 <ISP2 Gateway> 10 track 101
ip route 0.0.0.0 0.0.0.0 <ISP1 Gateway> 250
ip route 0.0.0.0 0.0.0.0 <ISP2 Gateway> 251

ip access-list extended PingISP_A
permit icmp host <WAN1 Interface IP> host 8.8.8.8

ip access-list extended PingISP_B
permit icmp host <WAN2 Interface IP> host 8.8.8.8

ip sla 100
icmp-echo 8.8.8.8 source-interface <WAN1 Interface>
ip sla schedule 100 life forever start-time now

ip sla 101
icmp-echo 8.8.8.8 source-interface <WAN2 Interface>
ip sla schedule 101 life forever start-time now

access-list 107 permit ip <LAN subnet> <LAN inverse mask> any
access-list 108 permit ip <LAN subnet> <LAN inverse mask> any

route-map FAILOVER_NAT permit 10
match ip address 107
match interface <WAN2 Interface>

route-map DYN_NAT permit 10
match ip address 108
match interface <WAN1 Interface>

route-map LocalPolicy permit 10
match ip address PingISP_A
set ip next-hop <ISP1 Gateway>
set interface <WAN1 Interface>

route-map LocalPolicy permit 20
match ip address PingISP_B
set ip next-hop <ISP2 Gateway>
set interface <WAN2 Interface>

If you need to do static NAT you would do basically the same thing:

route-map STAT_NAT permit 10
match ip address 109
match interface <WAN1 Interface>

route-map FAILOVER_SNAT permit 10
match ip address 110
match interface <WAN2 Interface>