I doesn't sound like that's what he's interested in. It seems he wants to do this.

static (inside,outside) netmask 255.255.255.255

static (inside,outside2) netmask 255.255.255.255

Hi,

Yea, but if he connected both connections to the PIX then he will have a problem with balancing outbound connections since you can't configure source-based routing in PIX/ASA meaning that all the traffic will be routed according to the default route which will practically point to one of the ISPs. So, he won't be able to route traffic to the 2nd ISP.

In order to utilize both ISPs, he can do the following as I stated in my previous post:

1- Have one connection b/ the ASA and the router and make this subnet the public block of ISP1.

2- On the perimeter router configure static route to make ISP2 public range be routable through the ASA outside interface (which has a public IP from the ISP1 range).

3- On the perimeter router configure source-based routing for all the traffic coming from ISP2 public range to be routed to ISP2 GW.

4- On the ASA, do static NATing for your servers which need to be accessed from ISP1 as needed, and for those which needs to be accessed through ISP2 to have a public addresses from ISP2 range. For example do the following:

static (inside,outside) netmask 255.255.255.255

static (inside,outside) netmask 255.255.255.255

The router will take care of routing the traffic to the right ISP because of the configuration made on steps 2 & 3.

Hope this helps.

Regards,

Haitham

I was referring to first post about Backup ISP.

Hello.

?Have you tested such static? I did with v.6.3(5) and 7.2(2) and this was the result:

static (inside,outside) 1.2.3.4 4.4.4.4

static (inside,outside) 5.5.5.5 4.4.4.4

ERROR: duplicate of existing static

from inside:4.4.4.4 to outside:1.2.3.4 netmask 255.255.255.255

Usage: [no] static [(real_ifc, mapped_ifc)]

{|interface}

{ [netmask ]} | {access-list }

[dns] [norandomseq] [ []]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{|interface}

{ [netmask ]} |

{access-list }

[dns] [norandomseq] [ []]

Here you have an interested link that solve this issue on a "half matter". To apply this you must have 7.2(1) or better:

ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

I said "half matter" since this example resolve the comunication issue of those users that comunicate from the inside world to the internet BUT it does not resolve the problem for any conection initiated from the INTERNET to any inside (or DMZ) server since the public ip address changes depending on the internet link....!!!

The VPN-CLIENT conectivity can be solve applying a "backup vpn server" on the VPN-Client software.

Any suggestion to resolve the incoming traffic from the Internet to the DMZ Server?

Hi,

You cannot configure different NATing IPs for the same address; so in result the following configuration will fail:

static (inside,outside) 1.2.3.4 4.4.4.4

static (inside,outside) 5.5.5.5 4.4.4.4

On the other hand, you need to dedicate different servers for the different ISPs like:

static (inside,outside) 1.2.3.4 4.4.4.4

static (inside,outside) 5.5.5.5 4.4.4.5

This should work fine!

Sorry if I was not clear on this before.

Regards,

Haitham