Dear all,

Hiện tại mình đang có 1 ASA 5510 dùng 2 line internet (FPT và VNPT).
Hiện tại mình đang cấu hình ưu tiên line FPT trước theo Metric. Khi nào line FPT down thì sẽ tự động dùng qua VNPT.
Vấn đề của mình là khi line FPT tốt trở lại, ASA vẫn dùng của VNPT chứ không trả lại FPT như ban đầu.

Các bạn nào có kinh nghiệm thì share cho mình với.
Tks,
Thắng - thangbeckham@yahoo.com

Bạn có thể post cấu hình ASA lên đây?

bạn tham khảo đoạn cấu hình sau:
vd:
outside_1 interface wan vnpt
outside_2 interface wan fpt

access-list ICMP extended permit icmp any any
access-group ICMP in interface outside_1
access-group ICMP in interface outside_2

route outside_1 0.0.0.0 0.0.0.0 ip_nexthop_wan1 1 track 100
route outside_2 0.0.0.0 0.0.0.0 ip_nexthop_wan2 10
sla monitor 1
type echo protocol ipIcmpEcho ip_dns_public interface outside_1
sla monitor schedule 1 life forever start-time now
track 100 rtr 1 reachability

với cách giám sát icmp này,tuyến chính bị down thì tuyến phụ sẽ active,khi tuyến chính up trở lại,khoảng 3-5s,tuyến chính sẽ lấy lại quyền active,

Hi các bạn,

Nếu cấu hình ASA ngay từ ban đầu thì không có gì phải nói nhưng vấn đề là trên thiết bị này đang chạy và đã được cấu hình rồi. Các bạn xem file cấu hình như bên dưới. Tks các bạn đã giúp.

: Saved
: Written by enable_15 at 02:32:19.785 UTC Wed Oct 14 2009
!
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif OUTSIDE-MEGAVNN
security-level 0
pppoe client vpdn group MEGAVNN
ip address pppoe setroute
ospf cost 10
!
interface Ethernet0/1
speed 100
nameif OUTSIDE-FTTH
security-level 0
ip address dhcp setroute
ospf cost 10
!
interface Ethernet0/2
nameif TRUNK
security-level 0
no ip address
ospf cost 10
!
interface Ethernet0/2.60
vlan 60
nameif DMZ
security-level 50
ip address 10.8.192.254 255.255.255.0
ospf cost 10
!
interface Ethernet0/3
nameif INSIDE
security-level 100
ip address 10.8.1.102 255.255.255.252
ospf cost 10
!
interface Management0/0
nameif quanly
security-level 0
ip address 9.9.9.9 255.255.255.0
ospf cost 10
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list INSIDE_access_in extended permit ip any any
access-list INSIDE_access_in extended permit tcp any any eq pptp inactive
access-list INSIDE_access_in extended permit tcp any any eq telnet inactive
access-list OUTSIDE-MEGAVNN_access_in extended permit tcp any any eq ftp
access-list OUTSIDE-MEGAVNN_access_in extended permit tcp any any eq ftp-data
access-list OUTSIDE-MEGAVNN_access_in extended permit tcp any any eq ssh
access-list OUTSIDE-MEGAVNN_access_in extended permit tcp any any eq pptp inactive
access-list smevpn_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list INSIDE_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.8.195.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip 10.8.1.100 255.255.255.252 10.8.13.160 255.255.255.224
access-list INSIDE_nat0_outbound extended permit ip host 10.8.5.1 10.8.13.160 255.255.255.224
access-list INSIDE_nat0_outbound extended permit ip any 10.8.13.160 255.255.255.224
access-list INSIDE_nat0_outbound extended permit ip any 10.8.195.0 255.255.255.0
access-list OUTSITE-FTTH_access_in extended permit tcp any any eq ftp
access-list OUTSITE-FTTH_access_in extended permit tcp any any eq ftp-data
access-list INSIDE_access_out extended permit ip any any
access-list hcmoffice_splitTunnelAcl standard permit 10.8.1.100 255.255.255.252
access-list hcmoffice_splitTunnelAcl standard permit host 10.8.5.1
access-list hcmvpn_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE-MEGAVNN 1500
mtu OUTSIDE-FTTH 1500
mtu TRUNK 1500
mtu DMZ 1500
mtu INSIDE 1500
mtu quanly 1500
ip local pool smevpnpool 10.8.195.1-10.8.195.254 mask 255.255.255.0
ip local pool smevpnpool1 10.8.194.0-10.8.194.254 mask 255.255.255.0
ip local pool vpnpool 10.8.13.175-10.8.13.180 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE-MEGAVNN) 1 interface
global (OUTSIDE-FTTH) 1 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE-MEGAVNN) tcp interface ftp 10.8.3.3 ftp netmask 255.255.255.255
static (INSIDE,OUTSIDE-MEGAVNN) tcp interface ftp-data 10.8.3.3 ftp-data netmask 255.255.255.255
static (INSIDE,OUTSIDE-MEGAVNN) tcp interface ssh 10.8.5.1 ssh netmask 255.255.255.255
access-group OUTSIDE-MEGAVNN_access_in in interface OUTSIDE-MEGAVNN
access-group OUTSITE-FTTH_access_in in interface OUTSIDE-FTTH
access-group INSIDE_access_in in interface INSIDE
access-group INSIDE_access_out out interface INSIDE
!
router rip
network 10.0.0.0
version 2
!
route OUTSIDE-FTTH 0.0.0.0 0.0.0.0 118.69.255.126 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 9.9.9.0 255.255.255.0 quanly
http 10.0.0.0 255.0.0.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE-MEGAVNN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE-MEGAVNN_map interface OUTSIDE-MEGAVNN
crypto isakmp enable OUTSIDE-MEGAVNN
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.0.0.0 INSIDE
telnet 10.8.1.0 255.255.255.0 INSIDE
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group MEGAVNN request dialout pppoe
vpdn group MEGAVNN localname namhuyen11
vpdn group MEGAVNN ppp authentication pap
vpdn username namhuyen11 password megavnn1
vpdn username Sgfdl-070529-287 password vietnam
vpdn username Sgfdl-070529-287 password doanhnghiep
vpdn username Sgfdl-070529-287 password vietnam
vpdn username Sgfdl-070529-287 password vietnam
vpdn username Sgfdl-070529-287 password vietnam
vpdn username Sgfdl-070529-287 password vietnam
vpdn username Sgfdl-070529-287 password vietnam
vpdn username Sgfdl-070529-287 password vietnam
vpdn username sgfdl-070529-287 password vietnam
vpdn username sgfdl-070529-287 password doanhnghiep
vpdn username sgfdl-070529-287 password doanhnghiep
dhcp-client client-id interface OUTSIDE-FTTH
dhcpd address 9.9.9.10-9.9.9.11 quanly
dhcpd option 3 ip 9.9.9.9 interface quanly
dhcpd enable quanly
!
no threat-detection basic-threat
threat-detection statistics access-list
webvpn
enable OUTSIDE-MEGAVNN
enable OUTSIDE-FTTH
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy HCMvpn internal
group-policy HCMvpn attributes
wins-server value 10.8.4.1 10.4.4.1
dns-server value 10.8.4.1 10.4.4.1
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value smesc.vn
group-policy hcmvpn internal
group-policy hcmvpn attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value hcmvpn_splitTunnelAcl
group-policy hcmoffice internal
group-policy hcmoffice attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value hcmoffice_splitTunnelAcl
default-domain value xxxxxxxxxxxxxsc.vn
group-policy xxxxvpn internal
group-policy xxxxvpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value xxxxxxxxxx_splitTunnelAcl
username xxxxxxxxx password QS95twohVrKyTqXu encrypted privilege 0
username xxxxxxxxx attributes
vpn-group-policy hcmoffice
username xxxxxxxxxx password GZDW.e8jkwo4mHrW encrypted privilege 0
username xxxxxxxxx attributes
vpn-group-policy smevpn
tunnel-group hcmvpn type remote-access
tunnel-group hcmvpn general-attributes
address-pool xxxxxxxxx
default-group-policy hcmvpn
tunnel-group xxxxxxx ipsec-attributes
pre-shared-key xxxxxxx
tunnel-group xxxxxxxxxxxxx type remote-access
tunnel-group xxxxxxxxxxxxx general-attributes
address-pool xxxxxxxxx
default-group-policy hcmvpn
tunnel-group xxxxxxxxxxxxx ipsec-attributes
pre-shared-key xxxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect icmp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:94c5828a7a218bd07e099e677e7504cc
: end