ASA5510 with two ISP

Unanswered Question
Apr 29th, 2007

Is it possible to configure this firewall with two ISPs so that the same internal webserver can be accessed via both ISP external addresses?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
haithamnofal Fri, 05/04/2007 - 08:49

Hi,

PIX/ASA doesn't support source-based routing so it will be kind of impossible to have 2 ISP connections directly to the PIX/ASA. However, if you have a router in front of your firewall, then you can connect the 2 ISPs to the router and configure your firewall and router in the way I explained in my previous post titled as "2 ISP Connections"; please have a look at that post posted last week and let me know if you have any questions.

Good Luck,

Haitham

acomiskey Fri, 05/04/2007 - 09:26

I doesn't sound like that's what he's interested in. It seems he wants to do this.

static (inside,outside) netmask 255.255.255.255

static (inside,outside2) netmask 255.255.255.255

haithamnofal Fri, 05/04/2007 - 12:50

Hi,

Yea, but if he connected both connections to the PIX then he will have a problem with balancing outbound connections since you can't configure source-based routing in PIX/ASA meaning that all the traffic will be routed according to the default route which will practically point to one of the ISPs. So, he won't be able to route traffic to the 2nd ISP.

In order to utilize both ISPs, he can do the following as I stated in my previous post:

1- Have one connection b/ the ASA and the router and make this subnet the public block of ISP1.

2- On the perimeter router configure static route to make ISP2 public range be routable through the ASA outside interface (which has a public IP from the ISP1 range).

3- On the perimeter router configure source-based routing for all the traffic coming from ISP2 public range to be routed to ISP2 GW.

4- On the ASA, do static NATing for your servers which need to be accessed from ISP1 as needed, and for those which needs to be accessed through ISP2 to have a public addresses from ISP2 range. For example do the following:

static (inside,outside) netmask 255.255.255.255

static (inside,outside) netmask 255.255.255.255

The router will take care of routing the traffic to the right ISP because of the configuration made on steps 2 & 3.

Hope this helps.

Regards,

Haitham

greivin.viquez Fri, 05/04/2007 - 14:38

Hello.

?Have you tested such static? I did with v.6.3(5) and 7.2(2) and this was the result:

static (inside,outside) 1.2.3.4 4.4.4.4

static (inside,outside) 5.5.5.5 4.4.4.4

ERROR: duplicate of existing static

from inside:4.4.4.4 to outside:1.2.3.4 netmask 255.255.255.255

Usage: [no] static [(real_ifc, mapped_ifc)]

{|interface}

{ [netmask ]} | {access-list }

[dns] [norandomseq] [ []]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{|interface}

{ [netmask ]} |

{access-list }

[dns] [norandomseq] [ []]

greivin.viquez Fri, 05/04/2007 - 16:01

Here you have an interested link that solve this issue on a "half matter". To apply this you must have 7.2(1) or better:

ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

I said "half matter" since this example resolve the comunication issue of those users that comunicate from the inside world to the internet BUT it does not resolve the problem for any conection initiated from the INTERNET to any inside (or DMZ) server since the public ip address changes depending on the internet link....!!!

The VPN-CLIENT conectivity can be solve applying a "backup vpn server" on the VPN-Client software.

Any suggestion to resolve the incoming traffic from the Internet to the DMZ Server?

haithamnofal Fri, 05/04/2007 - 20:36

Hi,

You cannot configure different NATing IPs for the same address; so in result the following configuration will fail:

static (inside,outside) 1.2.3.4 4.4.4.4

static (inside,outside) 5.5.5.5 4.4.4.4

On the other hand, you need to dedicate different servers for the different ISPs like:

static (inside,outside) 1.2.3.4 4.4.4.4

static (inside,outside) 5.5.5.5 4.4.4.5

This should work fine!

Sorry if I was not clear on this before.

Regards,

Haitham

Actions

This Discussion