Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
0
Helpful
14
Replies

Adding Backup ISP

ironman28
Level 1
Level 1

‎04-19-2024 03:30 PM

I have a pair of ASAs that I try to add a backup ISP.   I would be creating sub interfaces on Gi0/0.  Once I default the Gi0/0, the Outside configuration would be gone from the configure, can I do the sub interfaces. configure Gi0/0.10 with nameif Outside and paste all the configuration back to the ASA, would that restore all the configuration for the VPN and the site to site tunnel?

2. with the second sub-interface Gi0/0.20 nameif BackupISP, can I copy all the configure with NAT and crypto and change it from Outside to BackupISP to add it to the configuration to create the backup VPN tunnel for remote VPN and site to site?

 

0 Helpful
14 Replies 14

MHM Cisco World
VIP
VIP

‎04-19-2024 03:50 PM

I have a pair of ASAs that I try to add a backup ISP.   I would be creating sub interfaces on Gi0/0.  Once I default the Gi0/0, the Outside configuration would be gone from the configure, can I do the sub interfaces. configure Gi0/0.10 with nameif Outside and paste all the configuration back to the ASA, would that restore all the configuration for the VPN and the site to site tunnel?

2. with the second sub-interface Gi0/0.20 nameif BackupISP, can I copy all the configure with NAT and crypto and change it from Outside to BackupISP to add it to the configuration to create the backup VPN tunnel for remote VPN and site to site?

What I understand you will change the main interface G0/0 nameif OUTside to be G0/0.10 nameif OUTside same IP?

If Yes then let me check this in lab see the effect of change the interface with nameif 

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎04-19-2024 06:01 PM - edited ‎04-22-2024 02:57 AM

MHM

0 Helpful

ironman28
Level 1
Level 1

‎04-19-2024 07:35 PM

Hi MHM, thanks for the response. When I try to default the interface it wipes out the configure. I try to prevent reconfigure everything that is why I use the same name Outside with the same IP.  Can I upload a changed running configure for the Gi0/0.1 and test the running configure?   Currently the first ISP is going directly to the ASA1, try to make it redundant with second ISP for failover to ASA2.  

0 Helpful

MHM Cisco World
VIP
VIP
In response to ironman28

‎04-20-2024 04:22 AM - edited ‎04-22-2024 02:58 AM

MHM

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎04-20-2024 04:40 AM - edited ‎04-20-2024 04:41 AM

How is your network diagram looks like ?

is the ISP terminating Switch ?

ASA  Gi0/0 outside interface connected to Switch ?

Do you have any sample configuration to look, and what ASA version code running on ASA ?

I have a pair of ASAs that I try to add a backup ISP.  - If you have Pair of ASA you can terminate other ISP connection directly ASA 2 right ? what is the challenge here ? (when ASA 1 Fails - Other ASA 2 can take care of  statefull switch over of the configured correctly ?)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Marius Gunnerud
VIP
VIP

‎04-21-2024 02:23 PM

When you default the Gi0/0 interface all configuration that references the Outside name will be removed.  So this will include, but not limited to, routing, NAT, access-group configuration, Site to site VPN configuration that references the interface name, remote access VPN configuration that references the interface name.

So when you do this, I recommend that you have a full configuration backup, extract all configuration that references the Outside interface name and then add it back once you have created the subinterface.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

ironman28
Level 1
Level 1

‎04-21-2024 05:25 PM

ironman28_0-1713745313396.png

This is what I'm thinking. 

I should be able to do replace the configure with running-configure to restore the configure once the sub-interface is added or do I need to do it with running-configure all?
Can I take the running configure with Outside and change it to BackupISP and paste it back to the running configure to setup the second backup tunnel?

 

 

0 Helpful

ironman28
Level 1
Level 1

‎04-21-2024 05:42 PM

Here is a sample of the configure.

---
From
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 85.15.23.242 255.255.255.248 standby 85.15.23.243
!
-----
Change it to
interface GigabitEthernet0/0
no nameif Outside
no security-level
no ip address

interface GigabitEthernet0/0.11
nameif Outside
Vlan 11
security-level 0
ip address 85.15.23.242 255.255.255.248 standby 85.15.23.243

interface GigabitEthernet0/0.12
nameif Outside
Vlan 12
security-level 0
ip address 95.16.24.242 255.255.255.248 standby 95.15.24.243

---
From
access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_8 172.16.176.0 255.255.255.0
access-list Outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 172.16.177.0 255.255.255.0
access-list Outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 172.16.180.0 255.255.255.0
access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.176.0 255.255.255.0
nat (Outside,Outside) source static 172.16.180.0 172.16.180.0 destination static 10.10.20.0 10.10.20.0 no-proxy-arp route-lookup
nat (Outside,Outside) source static 172.16.181.0 172.16.181.0 destination static 10.10.20.0 10.10.20.0 no-proxy-arp route-lookup
nat (Outside,Outside) source static 172.16.16.0 172.16.16.0 destination static 10.10.20.0 10.10.20.0 no-proxy-arp route-lookup
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_10.10.20.0_23 NETWORK_OBJ_10.10.20.0_23 no-proxy-arp route-lookup
nat (DMZ,Outside) source static any any destination static NETWORK_OBJ_10.10.20.0_23 NETWORK_OBJ_10.10.20.0_23 no-proxy-arp route-lookup

-----
Change to
access-list BackupISP_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_8 172.16.176.0 255.255.255.0
access-list BackupISP_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 172.16.177.0 255.255.255.0
access-list BackupISP_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 172.16.180.0 255.255.255.0
access-list BackupISP_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.176.0 255.255.255.0
nat (BackupISP,BackupISP) source static 172.16.180.0 172.16.180.0 destination static 10.10.20.0 10.10.20.0 no-proxy-arp route-lookup
nat (BackupISP,BackupISP) source static 172.16.181.0 172.16.181.0 destination static 10.10.20.0 10.10.20.0 no-proxy-arp route-lookup
nat (BackupISP,BackupISP) source static 172.16.16.0 172.16.16.0 destination static 10.10.20.0 10.10.20.0 no-proxy-arp route-lookup
nat (Inside,BackupISP) source static any any destination static NETWORK_OBJ_10.10.20.0_23 NETWORK_OBJ_10.10.20.0_23 no-proxy-arp route-lookup
nat (DMZ,BackupISP) source static any any destination static NETWORK_OBJ_10.10.20.0_23 NETWORK_OBJ_10.10.20.0_23 no-proxy-arp route-lookup

0 Helpful

Marius Gunnerud
VIP
VIP
In response to ironman28

‎04-21-2024 10:33 PM

This will not work. You will need a different name for the the BackupISP interface and then duplicate all configuration from the Outside interface for the backup interface.  You would need to set the default route for the secondary ISP with a higher admin distance and then configure ipsla to track the outside interface and when it stops responding move to the BackupISP default route.

From what you have posted you only have. not NAT configuration for site to site VPN and do not have any public IPs exposed to the internet (i.e. webservers).  But if you do have static one to one NAT for access from the Outside, in the case of a failover to the BackupISP you would need to manually change the DNS for those servers or create a script (if available to you) to do that for you.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

ironman28
Level 1
Level 1
In response to Marius Gunnerud

‎04-22-2024 02:52 AM

Sorry, my mistake, the BackupISP would have the name of BackupISP and different address.

interface GigabitEthernet0/0.12
nameif BackupISP
security-level 0
ip address 95.16.24.242 255.255.255.248 standby 95.15.24.243

Question is can I copy the running config with anything that says Outside and just create a new one with BackupISP to create a second tunnel

0 Helpful

MHM Cisco World
VIP
VIP
In response to ironman28

‎04-22-2024 02:55 AM

It appear ypu want to waste your time and my answer is igonre!!

MHM

0 Helpful

ironman28
Level 1
Level 1
In response to MHM Cisco World

‎04-22-2024 03:14 AM

Sorry MHM, I appreciated your help.  I understand what you said.  Anything with Outside would be wiped.  I just try to find out if I copy the configure back with sub-interface would the configuration be stored.

0 Helpful

MHM Cisco World
VIP
VIP
In response to ironman28

‎04-22-2024 03:20 AM

do you know which command use nameif OUTSIDE exactly ?

NO

so the better and safe solution use for subinterface new nameif like OUT1 then start config from zero.

config NAT and ACL and crypto ...etc.
copy same config and paste it when change interface will more harder than use new nameif 

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to ironman28

‎04-21-2024 11:14 PM - edited ‎04-22-2024 02:56 AM

 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card