11
- November
2011
Posted By : Gom Jabbar
Cisco ASA – Redundant Default Routes

Early November. We are at the tail end of hurricane season in the Caribbean.

Last night, I am swaddled in waterproof raingear and Doc Martens, put-putting between customer sites on my little scooter. A tropical storm is doing the fandango a hundred miles offshore, and our surf churns white. The storm is supposed to hit around 1 a.m., but by noon, the outer edges of the storm begin to swish past, lashing the island with bands of heavy rain.

Overhead, telephone cables swing about in gale force winds, and I wonder if my cable TV will be out when I get home. Taxis zoom past my little scooter, filled with travelers headed to the airport. Tomorrow’s flights have been rescheduled for tonight. It’s not an especially big storm, but with the potential for wind damage, the airlines are getting out of Dodge. The power grid in my neighborhood is so shaky, the electricity goes out if you sneeze in the general direction of the substation. I suspect that dinner will be a pint of semi-melted ice-cream (rescued from the fridge) while reading an Asimov paperback by candlelight.

One of my customers is a big box store. Kinda like S-Mart from the Evil Dead movies. They sell damned near everything. The day before a hurricane hits, the store is packed with shoppers buying hurricane supplies. Cash registers ring merrily, and the takings rival the Christmas shopping season. Whereas my corporate clients have battened down the hatches for the duration of the storm, this customer stays open all day. After the storm passes, we will need to open up first thing the next morning because folks will be lining up to buy tools and supplies to clear up the mess.

The credit card system needs Internet access in order to process each transaction. No Internet means no credit card sales. Sure, we have manual workarounds. Customers who do not have a store account can always pay by cash or check. But if the WAN infrastructure is severely damaged by downed trees, it may take days for the work crews to turn up and fix the lines. So what do you do? You hook up a redundant WAN link. Different ISP, different medium. Eliminate as many commonalities as possible. Where possible, we want to avoid a single point of failure.

The main store has redundant ISPs, but the smaller retail locations each have a single DSL line to connect to the payment servers on the Internet. For a quick fix, we hook up a wireless Internet modem that works anywhere, even at the beach. If high winds take down the phone lines, we lose the DSL line. But the wireless link will remain up.

So. We have the inside and outside interfaces already configured. The inside interface connects to the 10.10.10.0 LAN network, where all our cash registers reside. The outside interface (11.11.11.1) is connected to the DSL router.

Cisco ASA 5505 with Redundant ISPs
Cisco ASA 5505 with Redundant ISPs

We just need to configure an additional interface for the second WAN link:

ciscoasa(config)# conf t
ciscoasa(config)# interface Ethernet0/2
ciscoasa(config-if)# nameif wireless
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 5.5.5.1 255.255.255.0
ciscoasa(config-if)# no shut

Configure NAT and access lists for the wireless interface, if needed. Then we add a second default route (with a higher metric) that uses this wireless WAN link:

ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 11.11.11.2 1
ciscoasa(config)# route wireless 0.0.0.0 0.0.0.0 5.5.5.2 2

Now all traffic that is destined for the Internet is sent via the outside interface, same as always. But if the outside interface goes down, the Internet traffic is sent via the wireless interface instead.

With both the outside and wireless interfaces up and running, a show route command coughs up the routing table on the ASA:

ciscoasa(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 11.11.11.2 to network 0.0.0.0

C    5.5.5.0 255.255.255.0 is directly connected, wireless
C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C    10.10.10.0 255.255.255.0 is directly connected, inside
C    11.11.11.0 255.255.255.0 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 11.11.11.2, outside

The default route (with metric 1) uses the outside interface.

From one of the cash registers on the 10.10.10.0 network, I can ping the payment server (6.6.6.2) out on the Internet. The ICMP traffic is sent via the outside interface:


ciscoasa(config)# ping 6.6.6.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

If the outside interface goes down (physically or administratively), the default route changes to the wireless interface (with metric 2):

ciscoasa(config-if)# int Ethernet0/0
ciscoasa(config-if)# shutdown
ciscoasa(config-if)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

C    5.5.5.0 255.255.255.0 is directly connected, wireless
C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C    10.10.10.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [2/0] via 5.5.5.2, wireless

But a ping to 6.6.6.2 still succeeds because the traffic is sent out via the wireless interface.


ciscoasa(config-if)# ping 6.6.6.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

This config is only useful if we think we might lose

  • the outside interface of the ASA,
  • the link to the DSL modem (11.11.11.2), or
  • the DSL modem itself

If a falling tree branch takes down the line, even a single hop beyond the DSL modem, the ASA won’t know about it, and will continue to think that its default route is valid. To mitigate that sort of failure, we need to implement SLA route monitoring, where we keep tabs on the reachability of something several hops down the line, such as the ISP’s DNS servers.

Shop Smart. Shop S-Mart.

Additional Information:

nameif command in the Cisco ASA 8.4 and 8.5 Command Reference.

ip address command in the Cisco ASA 8.4 and 8.5 Command Reference.

security-level command in the Cisco ASA 8.4 and 8.5 Command Reference.

shutdown command in the Cisco ASA 8.4 and 8.5 Command Reference.

ping command in the Cisco ASA 8.4 and 8.5 Command Reference.

show route command in the Cisco ASA 8.4 and 8.5 Command Reference.

route command in the Cisco ASA 8.4 and 8.5 Command Reference.