Let’s see how to implement a reliable default route with a Cisco ASA Firewall. Point here is to have alwas a default route, hence we will use a SLA monitor.

We will be using this topology:

ASA SLA

We need to have permanent access to 172.17.172.0/24 even if one of the two routers or their links fail.

We will use what’s called Static Reliable Routing. This feature alows us to create a tracker that will ping at intervals and informs about destination reachability. This tracker can be linked to a static route do the route will be used by our firewall while the tracker is active. We will also install another static route with a higher administrative distance, and this route will kick in when the tracker notifies a fail and removes its associated route.

We need a SLA -Service Level Agreement, monitor that will ping to verify reachability. We will need also a special object, the tracker, that will point to the SLA monitor, and the static route will point to the tracker itself.

It is something quite similar to the Static Floating Route if you want to have a look around Internet.

Let’s see the video demo:

Static Reliable Routing with Cisco ASA

Consider that the timers set up where the default ones, so there is one entire minute between each sla reachability check. Of course you can fine-tune this to achieve a higher connectivity ratio and drop down the outage times.