ASA or 2800

Unanswered Question
Apr 23rd, 2008

I am trying to decide the best way to setup my WAN's with Dual ISP's. Would it be better to have a router and an ASA or just a 2800 ISR? I will have 2 connections 1 - 3Mbps dual T1 and 1 - Broadband 10Mbps Down and 1Mbps Up. I'm not sure if the Router can handle these speeds

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Wed, 04/23/2008 - 09:42


I believe that routers in the low end of the 2800 family (2801 2811) would not handle the load of 2 T1s multilinked and a broadband. I think that routers at the upper end of the family would handle it better. I would suggest that you look to the 2851 as the 2800 best able to handle that level of traffic.

I believe that you would have a more effective security solution if both a router and an ASA. An ISR router with the Advanced Security feature set can be a pretty effective firewall. But the ASA is better at being a firewall. And if you have any concern about the ability of the 2800 to process the load of the combined interfaces then there is advantage to having the router route (but not firewall) and leave the firewall processing to the ASA.



patrickgarman Wed, 04/23/2008 - 14:10

Hi Rick,

Thanks for the response. How does that work exactly. If I were to connect both my isp's to the router and put the ASA between my internal network and the router, how can I get the ASA to still perform all the VPN and NAT funtions and have the ability to NAT to both ISP's at the same time?

Richard Burts Thu, 04/24/2008 - 04:14


How you implement it will depend somewhat on how you want it to work. Do you want to treat both providers as equal and try to loadshare traffic, do you want to treat it as a primary and a backup, do you want most traffic to go through one provider and certain types of traffic to go through the other provider?

Some people implement the functionality of use both providers equally by provisioning 2 ASAs with one ASA processing traffic for one of the providers and the other ASA processing traffic for the other provider. This makes the translation issues and VPN more straightforward. You might need something like VRF lite or Policy Based Routing on the router to make sure that traffic from each ASA went out the correct outbound interface.

I recently implemented for a customer the functionality that most traffic uses one outbound connection and certain specified traffic uses the other outbound connection. I let the ASA process the traffic normally (including translation). On the router I configured Policy Based Routing to identify certain traffic (web browsing and Email) and send it out the other outbound interface. The router does its own translation of traffic going out the alternative interface.

So how do you want things to work in your implementation?



patrickgarman Thu, 04/24/2008 - 06:30


This is what I am trying to acheive.

I have ISP-1 currently connected to an ASA 5510. The handles all traffic including Internet, Email and VPN. I am adding an additional WAN Connection now and I need to have Internet, WAN and VPN failover to the new ISP (ISP-2).

Here is another config I need to do. I need to have all my Internet traffic use ISP-2 when operating normally and VPN and Email traffic use ISP-1 when operating normally. If one of the connections fail, I need to have the Internet and VPN failover to the other ISP. Email I won't be able to do, but I need my VPN's and Internet to stay up.

I only want to purchase 1 more device if possible as this can't be done with 1 ASA. I don't have a router for my LAN, I am currently using the VLAN routing on my 3750 switches.

Richard Burts Thu, 04/24/2008 - 09:08


If I am understanding correctly your first scenario is a primary / backup implementation. But I am a little unclear about the environment which you describe as ISP-1 connected to ASA. Is it a direct connection of ISP to ASA (there is no router involved)?

If there is not currently a router then the first step is to get a router into place and to make what ever changes may be needed to have the ASA pass traffic to the router which will pass it to ISP-1. Once this is in place and is working then you can bring up the second connection and make the changes to utilize it. I would expect that the router would have a static default route to ISP-1 and you would configured a floating static default route pointing to ISP-2. You would also want to configure address translation so that traffic being forwarded to ISP-2 would be translated by the router into address space associated with ISP-2. So long as the connection to ISP-1 is up then traffic will flow to ISP-1 and if that connection comes down then the floating static route will be placed into the routing table and used to send traffic to ISP-2.

Your second scenario involves the backup capability but also will send certain types of traffic out the interface to the other provider in normal circumstances. To implement this I would first do this steps suggested in the first scenario with primary static default route, floating static default route, and address translation by the router on traffic going out the new ISP connection. Then I would configure Policy Based Routing to take whatever traffic you want to identify (VPN, Email, or whatever) and set its next hop to be out the other interface.



Please also consider that this may not give you the failover you desire. When you translate over to ISP2's address space and that may keep the connections up, but new connections will fail and the target IP you had on ISP1 will not be availible (ISP1 is down) Also Stateful failover is not possible with out BGP (I am not 100% certain on that) but I am almost certain that any ssl or IPsec sessions will disconnect.

If BGP is not possible (I assume it isnt considering the hardware)

You may want to look at this: specify secondary servers in your DNS setup so that the sessions will try to hit the second IP address set for your services.

This is important for email because althogh email may technicaly be up a lot of your outgoing will get killed as spam on remote servers as it dosnt come from the registered IP when they reverse check it. Its not perfect but its the best I have been able to come up with so far.

PS I run this setup with 1 T1 and a 10mb down cable modem off an 1811. It shows no sign of being over loaded. It also serves as a DMVPN Hub for my site to site VPNs. PBR's and Floating static routes are also in this. However I was not able to get both static and dynamic nat to work on the same interface. So I added a second 1811 with the reverse of my configs for failover purposes.

Hope this helps to guide you to a solution.

If I am wrong then plese help me to improve my knowlege. I am just a novice with cisco...



This Discussion