Cisco Cisco ASA 5505 Adaptive Security Appliance 技术手册
Cisco ASDM Version 7.x or later
•
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Related Products
You can also use this configuration with the Cisco ASA 5500 Series Version 9.1(5).
Note: The backup interface command is required in order to configure the fourth interface on the ASA 5505
Series. Refer to the backup interface section of the Cisco Security Appliance Command Reference, Version 7.2
for more information.
Series. Refer to the backup interface section of the Cisco Security Appliance Command Reference, Version 7.2
for more information.
Background Information
This section provides an overview of the static route tracking feature that is described in this document, as
well as some important recommendations before you begin.
well as some important recommendations before you begin.
Static Route Tracking Feature Overview
One problem with the use of static routes is that no inherent mechanism exists that can determine whether the
route is up or down. The route remains in the routing table even if the next hop gateway becomes unavailable.
Static routes are removed from the routing table only if the associated interface on the security appliance goes
down. In order to solve this problem, a static route tracking feature is used in order to track the availability of
a static route. The feature removes the static route from the routing table and replaces it with a backup route
upon failure.
route is up or down. The route remains in the routing table even if the next hop gateway becomes unavailable.
Static routes are removed from the routing table only if the associated interface on the security appliance goes
down. In order to solve this problem, a static route tracking feature is used in order to track the availability of
a static route. The feature removes the static route from the routing table and replaces it with a backup route
upon failure.
Static route tracking allows the ASA to use an inexpensive connection to a secondary ISP in the event that the
primary leased line becomes unavailable. In order to achieve this redundancy, the ASA associates a static
route with a monitoring target that you define. The Service Level Agreement (SLA) operation monitors the
target with periodic ICMP echo requests. If an echo reply is not received, then the object is considered down,
and the associated route is removed from the routing table. A previously configured backup route is used in
place of the route that is removed. While the backup route is in use, the SLA monitor operation continues its
attempts to reach the monitoring target. Once the target is available again, the first route is replaced in the
routing table, and the backup route is removed.
primary leased line becomes unavailable. In order to achieve this redundancy, the ASA associates a static
route with a monitoring target that you define. The Service Level Agreement (SLA) operation monitors the
target with periodic ICMP echo requests. If an echo reply is not received, then the object is considered down,
and the associated route is removed from the routing table. A previously configured backup route is used in
place of the route that is removed. While the backup route is in use, the SLA monitor operation continues its
attempts to reach the monitoring target. Once the target is available again, the first route is replaced in the
routing table, and the backup route is removed.
In the example that is used in this document, the ASA maintains two connections to the Internet. The first
connection is a high speed leased line that is accessed through a router provided by the primary ISP. The
second connection is a lower speed Digital Subscriber Line (DSL) that is accessed through a DSL modem
provided by the secondary ISP.
connection is a high speed leased line that is accessed through a router provided by the primary ISP. The
second connection is a lower speed Digital Subscriber Line (DSL) that is accessed through a DSL modem
provided by the secondary ISP.
Note: The configuration that is described in this document cannot be used for load balancing or load sharing,
as it is not supported on the ASA. Use this configuration for redundancy or backup purposes only. Outbound
traffic uses the primary ISP, and then the secondary ISP if the primary fails. Failure of the primary ISP causes
a temporary disruption of traffic.
as it is not supported on the ASA. Use this configuration for redundancy or backup purposes only. Outbound
traffic uses the primary ISP, and then the secondary ISP if the primary fails. Failure of the primary ISP causes
a temporary disruption of traffic.
The DSL connection is idle as long as the leased line is active and the primary ISP gateway is reachable.
However, if the connection to the primary ISP goes down, the ASA changes the routing table in order to direct
traffic to the DSL connection. Static route tracking is used in order to achieve this redundancy.
However, if the connection to the primary ISP goes down, the ASA changes the routing table in order to direct
traffic to the DSL connection. Static route tracking is used in order to achieve this redundancy.
The ASA is configured with a static route that directs all of the Internet traffic to the primary ISP. Every ten
seconds, the SLA monitor process checks in order to confirm that the primary ISP gateway is reachable. If the
seconds, the SLA monitor process checks in order to confirm that the primary ISP gateway is reachable. If the