07-23-2007 10:59 AM - edited 03-03-2019 05:59 PM
I am adding a second internet connection and have a 1812 router and an ASA5505 for my firewall. I would like to connect the internet connections to the router and set up load balancing there, and then have the firewall between the router and my internal network.
I can get the router set up with both connections active, and I can get the ASA setup with one connection, but I am a little stumped as to where to start on the configuration as desired. Any suggestions or where to go to get started?
07-23-2007 11:19 AM
In ASA 7.2.x code, there is support for failover ISP, ie. outgoing traffic uses the primary ISP and then the secondary ISP, if the primary fails.
Here's the configuration guide for your reference:
However, if you want to have 2 ISP's in use at the same time for load balancing or load sharing, then it's not supported on the ASA.
Regards,
07-23-2007 11:22 AM
That would be why I have the router there. I want to do load balancing and have the router for that purpose.
07-23-2007 11:30 AM
do you owm a registered IP space from the IRR?
07-23-2007 11:33 AM
No. I have a static block assigned by ISP #1 and a separate block assigned by ISP#2. I will only be load balancing outgoing traffic with the router.
07-23-2007 11:49 AM
You can use PBR to achieve loadbalancing but since it as a static block assigned individually by the ISPs failover would be a problem
eg... you have 2 blocks 1.1.1.1/24 and 2.2.2.2/24 assigned by ISP1 and 2 respectively
Configure the ASA to NAT some subnets in the range given by ISP1 and others to the ISP2 range.
assuming your connection between the router and the ASA uses the ISP1 lan pool, configure
route-map inet_isp2 permit 10
match ip address 100
set ip next-hop
interface fa0/0
ip address 1.1.1.x 255.255.255.0
description connection to ASA
ip policy route-map inet_isp2
ip route 0.0.0.0 0.0.0.0
ip route 2.2.2.0 255.255.255.0
If the packet comes out of the ASA with a source address from the ISP1 range, it will use the default route via ISP1 link.
If the packet has a source address from the ISP2 range, it will match the PBR and will force it to take the ISP2 link
This should achieve loadbalancing though it would not be perfectly 50-50
HTH, rate if it does
Narayan
07-23-2007 12:53 PM
I realize that failover is a problem. I will try a work around using the track function.
That example you gave doesn't really explain anything to me as to what I need to do either. You mention an ASA cluster, but I don't have one. I have a router and an ASA.
Let's go back to basics here. I have 2 internet connections coming in that connect to the 1812 router. ISP#1 (call it 1.1.1.1/25) connects to fa0. ISP#2 (call it 2.2.2.2/25) connects to fa1. The ASA will connect to fa3. My first thought was to make a new subnet for a DMZ and assign an IP from that to fa3. I will not use NAT on the router. On the ASA, I will connect eth0/0 to the router and give it an IP in the DMZ subnet. Eth0/1 will connect to my internal network (192.168.x.x/24). I will use the ASA as the firewall and VPN device.
Now, I will have 2 different ranges of IP addresses coming through the router to the ASA that will need to have static mappings to my mail/web/etc servers on the internal network. Can I just set up the static mappings on the ASA as usual?
07-23-2007 01:06 PM
The above exampe was mostly to loadbalance traffic originating from inside to outside..
In any case configure PBR on fa3 as mentioned
The ASA would anyway have a defaut route pointing to router.
If you are planning to use seperate subnets between the FW and the router, you would require 2 static routes for the respectve IP pools pointing to the ASA.
If you want to loadbalance inbound traffic to the servers, configure static nats on some servers using ISP1 range and others using ISP2 range
HTH, rate if it does
Narayan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: