Multiple ISP and ASA

sathyahemanth · ‎06-09-2007

Hi,

Can any one suggest me how to configure load-balancing and failover between ASA and multiple ISPs. All ISP connections is terminated on a single router.

Thanks and regards,

SH.

alvaroadp · ‎06-09-2007

If you find that out, let us know. Right now I am moving to Linux+iproute2

Rodrigo Gurriti · ‎06-09-2007

Well as far as I know you can do that well on a router but on the asa/pix you can set the multiple static routes with the same metric/cost.

This will not work as well as on the router but you know hehehe its a firewall not a router :)

Please guys read http://www.cisco.com/en/US/products/hw/modules/ps2033/prod_technical_reference09186a00800afeb7.html

If you find it interesting please rate :)

Thotsaphon Lueangwattanaphong · ‎06-10-2007

Hi SH.

You can achieve this goal on the router. Are you using multiple ISPs terminating on the same router?

IMHO: For best way you can use load-sharing mechanism with policy base routing feature on the router. Let me explain further you can give vlan/subnet 2-5 go to ISP_1 and vlan/subnet 6-10 go to ISP_2 with source-route of policy base routing feature. Now you can control out-bound traffics go to ISPs. I don't think multiple default route will be good solution for multiple ISPs because are you sure the packets of 1 session go to the same ISP at a time.

Hope this helps

L.Thot

Rodrigo Gurriti · ‎06-10-2007

No doubt you need a router but that's why you use these command

ip load-sharing per-packet

or

ip load-sharing per-destination

anandramapathy · ‎06-10-2007

The process is simple ( If there is 1 DMZ )-

The PIX / ASA can handle only 1 outside route.

Therefore this route has to be your Internet router's Ethernet Address.

On the internet router put 1 default outside route towards ISP1 ( the ISP on which the DMZ is hosted )

Then put 1 Route-map on the Ethernet Interface of the router which is on the same subnet as the PIX outside.

This routemap will define that if a particular traffic has to be sent to ISP B, match that with an ACL ( this will be the public IP of ISP B ) with the source IP of the subnet which has to be routed via ISP B.

Set the next hop as the WAN interface of ISP B

You are done.

anandramapathy · ‎06-10-2007

Try this one too

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

sathyahemanth · ‎06-11-2007

So guys, is it advicable not to NAT at the firewall and do the NATting at the router and use the appropriate switching method on the router to route traffic.

This is what I think you are trying to suggest for this problem.

Thanks and regards,

SH.

anandramapathy · ‎06-11-2007

Hi,

The NAT should be done on the firewall.

example -

On the firewall

192.168.1.0 NAT outside IP of ISP A (1.1.1.0 )

192.168.2.0 NAT outside IP of ISP B

(2.2.2.0)

On the internet router

put default route to WAN IP of ISP A

put policy route for packet originating with source IP 2.2.2.0 - next hop WAN IP of ISP B

sathyahemanth · ‎06-11-2007

Hi Anand,

What about the load-balancing and the failover in this case?

T & r,

SH.

anandramapathy · ‎06-11-2007

Loadbalancing will happen based on Subnets.

*** Loadbalancing ***

Say internal subnet A - 192.168.1.0 will be routed via Link A

( Using the Default route & NAT for Link A )

internal subnet B - 192.168.2.0 will be routed via Link B

( Using the Policy Route & NAT for Link B )

*** For Failover *** - YOu have to do the following & it is manual :(

(Since you are not running BGP config where

both ISPs can route each other's traffic )

Summary -

Change route & Change NAT. May be a little confusing.

Details -

If Link A goes down - Change default route on the internet router to Link B

Change the NAT config for Subnet A & add the it to pool B

If Link B goes down - Remove the Policy route from the Internet router so that all traffic is diverted to the Link A

Change the NAT config for Subnet B & add the it to pool A

Let me know if you have any doubts

HTH - Please rate all useful posts