Multiple ISP and ASA

Unanswered Question
Jun 9th, 2007
User Badges:

Hi,


Can any one suggest me how to configure load-balancing and failover between ASA and multiple ISPs. All ISP connections is terminated on a single router.


Thanks and regards,

SH.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
alvaroadp Sat, 06/09/2007 - 05:26
User Badges:

If you find that out, let us know. Right now I am moving to Linux+iproute2

Rodrigo Gurriti Sat, 06/09/2007 - 17:20
User Badges:

Well as far as I know you can do that well on a router but on the asa/pix you can set the multiple static routes with the same metric/cost.


This will not work as well as on the router but you know hehehe its a firewall not a router :)


Please guys read http://www.cisco.com/en/US/products/hw/modules/ps2033/prod_technical_reference09186a00800afeb7.html


If you find it interesting please rate :)

thotsaphon Sun, 06/10/2007 - 00:17
User Badges:
  • Gold, 750 points or more

Hi SH.

You can achieve this goal on the router. Are you using multiple ISPs terminating on the same router?

IMHO: For best way you can use load-sharing mechanism with policy base routing feature on the router. Let me explain further you can give vlan/subnet 2-5 go to ISP_1 and vlan/subnet 6-10 go to ISP_2 with source-route of policy base routing feature. Now you can control out-bound traffics go to ISPs. I don't think multiple default route will be good solution for multiple ISPs because are you sure the packets of 1 session go to the same ISP at a time.


Hope this helps

L.Thot

Rodrigo Gurriti Sun, 06/10/2007 - 17:59
User Badges:

No doubt you need a router but that's why you use these command

ip load-sharing per-packet

or

ip load-sharing per-destination



anandramapathy Sun, 06/10/2007 - 22:52
User Badges:
  • Bronze, 100 points or more

The process is simple ( If there is 1 DMZ )-


The PIX / ASA can handle only 1 outside route.


Therefore this route has to be your Internet router's Ethernet Address.


On the internet router put 1 default outside route towards ISP1 ( the ISP on which the DMZ is hosted )


Then put 1 Route-map on the Ethernet Interface of the router which is on the same subnet as the PIX outside.


This routemap will define that if a particular traffic has to be sent to ISP B, match that with an ACL ( this will be the public IP of ISP B ) with the source IP of the subnet which has to be routed via ISP B.


Set the next hop as the WAN interface of ISP B


You are done.

sathyahemanth Mon, 06/11/2007 - 04:57
User Badges:

So guys, is it advicable not to NAT at the firewall and do the NATting at the router and use the appropriate switching method on the router to route traffic.


This is what I think you are trying to suggest for this problem.


Thanks and regards,

SH.

anandramapathy Mon, 06/11/2007 - 06:52
User Badges:
  • Bronze, 100 points or more

Hi,


The NAT should be done on the firewall.


example -


On the firewall

192.168.1.0 NAT outside IP of ISP A (1.1.1.0 )

192.168.2.0 NAT outside IP of ISP B

(2.2.2.0)



On the internet router


put default route to WAN IP of ISP A

put policy route for packet originating with source IP 2.2.2.0 - next hop WAN IP of ISP B

sathyahemanth Mon, 06/11/2007 - 20:46
User Badges:

Hi Anand,


What about the load-balancing and the failover in this case?


T & r,

SH.

anandramapathy Mon, 06/11/2007 - 21:28
User Badges:
  • Bronze, 100 points or more

Loadbalancing will happen based on Subnets.


*** Loadbalancing ***

Say internal subnet A - 192.168.1.0 will be routed via Link A


( Using the Default route & NAT for Link A )


internal subnet B - 192.168.2.0 will be routed via Link B


( Using the Policy Route & NAT for Link B )



*** For Failover *** - YOu have to do the following & it is manual :(


(Since you are not running BGP config where

both ISPs can route each other's traffic )


Summary -

Change route & Change NAT. May be a little confusing.


Details -


If Link A goes down - Change default route on the internet router to Link B


Change the NAT config for Subnet A & add the it to pool B


If Link B goes down - Remove the Policy route from the Internet router so that all traffic is diverted to the Link A


Change the NAT config for Subnet B & add the it to pool A



Let me know if you have any doubts


HTH - Please rate all useful posts





Actions

This Discussion