ASA with 2 ISPs

Unanswered Question
Jun 7th, 2007
User Badges:

I'm thinking about firewalling off 2 WAN links from 2 ISPs with just one ASA. I'm going to setup second and third interfaces facing the WAN and treat them as if they were individual and just add routing to forward traffic as needed. I know of a setup where you can have redundancy with a fallback ISP but these 2 WAN links are going to be live at the same time. Is there anything I should be aware of, or is there a white paper that has a sample config I can look at?


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
anandramapathy Fri, 06/08/2007 - 04:30
User Badges:
  • Bronze, 100 points or more

The ASA supports only 1 Route outside.



If you terminate both links on the ASA


Policy Route is not possible on ASA

Then you have to manually change the outside routes the alternate ISP if your main ISP goes down. 2 DMZ option also will not be possible.


Best option is to terminate both the Links on the Internet Router & do a policy Route on the Interet router.



jackleung Fri, 06/08/2007 - 04:35
User Badges:

That's fine. But say for example I have 2 networks outside, A, and B. I can't set a route on the firewall to direct all traffic destined for network A to go to router A and traffic to network B to go to router B (leaving a default route to go to either one of those routers)?

cpembleton Fri, 06/08/2007 - 04:46
User Badges:
  • Silver, 250 points or more

The ASA is not really designed to do that. Load balancing is not possible with 2 external links. You could do route tracking to failover to second ISP if primary failed.


You could also create 2 routes. Once for half the Internet and 1 for the other half. However, if you where hosting any services (web or mail) if the connection came on 1 ISP but the route on ASA sent it out the other interface the session would not established.


You could setup 1 interface as the default route on the ASA. Setup 1 or 2 routers on the edge of ISP as your gateway (2 w/ HSRP). Load balancing would be at the router level. But because you have 2 separate ISP's and 2 different subnets it becomes more of a challenge. Unless you could get them to advertise each others subnets (not likely) and use BGP to update the ISP. Other wise you would have to configure any NAT you need on the routers not the ASA.


Hope this helps!


Chad


Actions

This Discussion