06-07-2007 11:05 AM - edited 03-11-2019 03:26 AM
I'm thinking about firewalling off 2 WAN links from 2 ISPs with just one ASA. I'm going to setup second and third interfaces facing the WAN and treat them as if they were individual and just add routing to forward traffic as needed. I know of a setup where you can have redundancy with a fallback ISP but these 2 WAN links are going to be live at the same time. Is there anything I should be aware of, or is there a white paper that has a sample config I can look at?
Thanks.
06-08-2007 04:30 AM
The ASA supports only 1 Route outside.
If you terminate both links on the ASA
Policy Route is not possible on ASA
Then you have to manually change the outside routes the alternate ISP if your main ISP goes down. 2 DMZ option also will not be possible.
Best option is to terminate both the Links on the Internet Router & do a policy Route on the Interet router.
06-08-2007 04:35 AM
That's fine. But say for example I have 2 networks outside, A, and B. I can't set a route on the firewall to direct all traffic destined for network A to go to router A and traffic to network B to go to router B (leaving a default route to go to either one of those routers)?
06-08-2007 04:46 AM
The ASA is not really designed to do that. Load balancing is not possible with 2 external links. You could do route tracking to failover to second ISP if primary failed.
You could also create 2 routes. Once for half the Internet and 1 for the other half. However, if you where hosting any services (web or mail) if the connection came on 1 ISP but the route on ASA sent it out the other interface the session would not established.
You could setup 1 interface as the default route on the ASA. Setup 1 or 2 routers on the edge of ISP as your gateway (2 w/ HSRP). Load balancing would be at the router level. But because you have 2 separate ISP's and 2 different subnets it becomes more of a challenge. Unless you could get them to advertise each others subnets (not likely) and use BGP to update the ISP. Other wise you would have to configure any NAT you need on the routers not the ASA.
Hope this helps!
Chad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide