2 ISP Connections-router and firewall

Unanswered Question
Jul 23rd, 2007

I am adding a second internet connection and have a 1812 router and an ASA5505 for my firewall. I would like to connect the internet connections to the router and set up load balancing there, and then have the firewall between the router and my internal network.

I can get the router set up with both connections active, and I can get the ASA setup with one connection, but I am a little stumped as to where to start on the configuration as desired. Any suggestions or where to go to get started?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
Jagdeep Gambhir Mon, 07/23/2007 - 11:19

In ASA 7.2.x code, there is support for failover ISP, ie. outgoing traffic uses the primary ISP and then the secondary ISP, if the primary fails.

Here's the configuration guide for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

However, if you want to have 2 ISP's in use at the same time for load balancing or load sharing, then it's not supported on the ASA.

Regards,

jeremy.lebeau Mon, 07/23/2007 - 11:22

That would be why I have the router there. I want to do load balancing and have the router for that purpose.

jeremy.lebeau Mon, 07/23/2007 - 11:33

No. I have a static block assigned by ISP #1 and a separate block assigned by ISP#2. I will only be load balancing outgoing traffic with the router.

royalblues Mon, 07/23/2007 - 11:49

You can use PBR to achieve loadbalancing but since it as a static block assigned individually by the ISPs failover would be a problem

eg... you have 2 blocks 1.1.1.1/24 and 2.2.2.2/24 assigned by ISP1 and 2 respectively

Configure the ASA to NAT some subnets in the range given by ISP1 and others to the ISP2 range.

assuming your connection between the router and the ASA uses the ISP1 lan pool, configure

route-map inet_isp2 permit 10

match ip address 100

set ip next-hop

interface fa0/0

ip address 1.1.1.x 255.255.255.0

description connection to ASA

ip policy route-map inet_isp2

ip route 0.0.0.0 0.0.0.0

ip route 2.2.2.0 255.255.255.0

If the packet comes out of the ASA with a source address from the ISP1 range, it will use the default route via ISP1 link.

If the packet has a source address from the ISP2 range, it will match the PBR and will force it to take the ISP2 link

This should achieve loadbalancing though it would not be perfectly 50-50

HTH, rate if it does

Narayan

jeremy.lebeau Mon, 07/23/2007 - 12:53

I realize that failover is a problem. I will try a work around using the track function.

That example you gave doesn't really explain anything to me as to what I need to do either. You mention an ASA cluster, but I don't have one. I have a router and an ASA.

Let's go back to basics here. I have 2 internet connections coming in that connect to the 1812 router. ISP#1 (call it 1.1.1.1/25) connects to fa0. ISP#2 (call it 2.2.2.2/25) connects to fa1. The ASA will connect to fa3. My first thought was to make a new subnet for a DMZ and assign an IP from that to fa3. I will not use NAT on the router. On the ASA, I will connect eth0/0 to the router and give it an IP in the DMZ subnet. Eth0/1 will connect to my internal network (192.168.x.x/24). I will use the ASA as the firewall and VPN device.

Now, I will have 2 different ranges of IP addresses coming through the router to the ASA that will need to have static mappings to my mail/web/etc servers on the internal network. Can I just set up the static mappings on the ASA as usual?

royalblues Mon, 07/23/2007 - 13:06

The above exampe was mostly to loadbalance traffic originating from inside to outside..

In any case configure PBR on fa3 as mentioned

The ASA would anyway have a defaut route pointing to router.

If you are planning to use seperate subnets between the FW and the router, you would require 2 static routes for the respectve IP pools pointing to the ASA.

If you want to loadbalance inbound traffic to the servers, configure static nats on some servers using ISP1 range and others using ISP2 range

HTH, rate if it does

Narayan

Actions

This Discussion