Dual ISP and ASA Config

Unanswered Question

Dual ISP Setup


How can an ASA5510 be used to connect a network to the Internet using dual ISPs?


The Parameters:

DSL Circuit to ISP 1 (5.5.5.0/255.255.255.0)

T1 circuit to ISP 2 (7.7.7.0/255.255.255.0)

Internal network with non-routable address space (10.10.10.0/255.255.255.0).

No BGP


The goals are:

a) is to be able to load balance across the two connections

b) to be able to connect from the outside using both connections (VPN to each external interface independently).


Yes. I know.. there are other posts. I've already read all the other ones on the subject and still don't have a satisfactory answer.


Right now, the setup is as follows:


interface Ethernet0/0

nameif DSL

security-level 0

ip address 5.5.5.1 255.255.255.0


interface Ethernet0/1

nameif TEE

security-level 0

ip address 7.7.7.1 255.255.255.0


interface Ethernet0/2

nameif internal

security-level 50

ip address 10.10.10.1 255.255.255.0


global (DSL) 30 interface

global (TEE) 30 interface


nat (Internal) 30 10.10.10.0 255.255.0.0


The next hop gateway for the DSL circuit is 5.5.5.10

The next hop gateway for the T1 ISP is 7.7.7.10


When the route is as follows:

route DSL 0.0.0.0 0.0.0.0 5.5.5.10 1

Then the connections are NAT'ed and routed out of the DSL interface.


When the route is as follows:

route TEE 0.0.0.0 0.0.0.0 7.7.7.10 1

Then the connections are NAT'ed and routed out of the T1 interface.


I've put the ISP's on seperate interfaces so that the NAT functionality can switch over correctly.


When the route is switched to DSL, NAT changes to using the DSL IP. When the route is changed to the T1, NAT changes to use the T1 IP.


As most know, the problem is two default routes cannot be defined on the ASA. So one has to choose between one or the other circuit. Route tracking can also be setup for failover. But that doesn't solve the problem.


So the question is, how can this be done?


I've read some of some possible solutions, but as I mentioned, nothing seemed definite:


Using OSPF routing?

Multiple context with some load balancing between multiple contexts?

Some sort of fancy arp mechanism?

Having a seperate router that can route based on Source IP?

Getting a cheapo dual wan router to share the circuits?


Thanks for all replies.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
suschoud Fri, 03/23/2007 - 07:47
User Badges:
  • Gold, 750 points or more

Unfortunately,ASA cannot do the load balancing.


However,I believe you must have read about the ISP fallback feature where one link remains

active and the other ISP link act as a standby link.In case the active link fails,then the

stadby link start pasisng the traffic.So,there's bare minimum disruption of service.


Here's a link which explains ISP fallback in detail :



http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_exa

mple09186a00806e880b.shtml


The major issue here is the source based routing which is not supported by pix/asa.


For the internet traffic,we need to setup a default route.


route outside 0 0 1.1.1.1


considering 1.1.1.1 as the default gateway.


So,all the traffic will be sent to this default gateway.


We cannot tell the firewall,let's say:


to send the traffic to isp1 interface when the source is vlan1.

and to send the traffic to isp2 interface when the source is vlan2.


So,even if you create two vlan's on the inside and divide the internal traffic to go to

two different isp links,it'll not be a viable option as asa only understand the

destination based route.As detination is internet traffic,a common segment on the two isp

links,we get a route conflict.



The only viable option is to configure active/active failover with two isp links.Configure

two contexts on the asa's.Let's say,


ON ASA1 :context A would be the active / context B would be standby.

ON ASA2 :context B would be the active / context A would be standby.


So,by this you can send the traffic from vlan1 through the context A.

And the traffic from vlan2 through context B.


Here are few links which explains configuration active/active failover ( Multiple context

in detail ) :



http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_g

d/general/contexts.htm ( Multiple context general )



http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_g

d/general/mngcntxt.htm ( Adding and managing security contexts )



http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_g

d/general/failover.htm#wp1096075 ( Configuring active/active failover )



hth

sushil

cisco tac

danielnunes Tue, 09/15/2009 - 03:19
User Badges:

I've used load balancing with two ISPs.

After my ASA I put two routers, every router attached on a ISP and ASA is configured with two default routes.

Everthing work out fine but there are some issues about Inbound connections that you have to pay attention.

abinjola Fri, 03/23/2007 - 16:19
User Badges:
  • Cisco Employee,

option 4 and 5 seems good choice

thammerle Tue, 05/19/2009 - 07:48
User Badges:

So it looks like no one is doing this or it's not possible?

jeremyault Sat, 05/23/2009 - 08:19
User Badges:

The only way to load balance outbound is to have two routes of equal cost. Since you can not have 2 default routes with the equal cost on the ASA, you simply can not do it.


Failover using the track command is the only option with an ASA at this point in time.

mlitka Thu, 11/05/2009 - 13:20
User Badges:

Jermey -


I am confused about your statement:


"ince you can not have 2 default routes with the equal cost on the ASA, you simply can not do it."


In the ASA Configuration Guide


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_static.html#wp1121580


it states:


"You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry."

branfarm1 Fri, 11/06/2009 - 09:57
User Badges:
  • Bronze, 100 points or more

As people have mentioned, you can't use your ASA to *actively* use both your ISP's at the same time. Your best bet, if you want to use both ISP's, is to purchase a router to stick outside the FW. Once you have a router outside your firewall you will have multiple options to fulfill your requirements.


I run a similar setup where I have a router outside my firewall, and I use a route-map on the router to point traffic to different ISP's depending on the NAT groups the traffic is coming from on the ASA. It works great.


Good luck,


Brandon

Actions

This Discussion