Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
475
Views
0
Helpful
3
Replies

ASA load balancing to two routers

Go to solution
scottwclarke
Level 1
Level 1

‎07-29-2008 04:30 AM - edited ‎02-21-2020 02:56 AM

Hi All,

Is there anyway I can load balance accross two routers.

I have an ASA with two routers attached each of the routers has two instances of HSRP running on them each with its own IP address, each router is the primary for one of the HSRP instances. If there was no ASA in the way I would set DHCP to run through one and all the server functions through another hey presto load balancing (of a sort). However I can not do this as the ASA has only one internal IP address. The routers are handling natting as they are on different IP ranges on different ISPs.

I can not use GLBP as the changing external IP would break connections for VPN RDP and SMTP.

Is there any way I can make the ASA route based on source IP or any other way of seperating out the traffic between the two routers?

Thanks in advance,

Scott

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎07-29-2008 08:47 PM

you cant route based on source ip with firewall only with router possiable by PBR

you can make to static routes each one point to deffrent router with deffrent metric

in this case it will make the topology like active standby which not good in your case

but you can use sub interfaces on your ASA intis case make each subinterface in deffrent subnet and deffrent security level

and let each subinterface use deffrent hsrp instance

or there is another way

IF you dont use VPN on your ASA u can achive it by useing multiple context

in multiple context you gonna separate your firewall virtualy

so if you have two vlans in your inside network (two deffrent subnets)

then each subnet will use deffrent firewall virtually

u goona divide the internal interface to two subinterfaces

and you can use one outside interface shred between the context or also separate it to two subinterfaces

and allocate those interface to each context

so you gonna deal with each context as deffrent firewall

and you can use deffrent HSRP instance on each context

but with multiple context you cant use VPN on the firewall

*****use the following method*****

THE OTHER WAY WHICH ALSO I SUGIST YOU TO TRY IT WHICH IS THE Transparent Firewall

in the case your firewall will operate in L2 mode

so you can use the routers HSRP IPS AS there is no firewall in the path

which i thnk helpful in you case aslo

in transperante mode the defaultgate way for your client will be the hsrp IP because the firewall will not have any IPs exept for managment

also the useres will be in the same IP subnet as the gateway in your case HSRP VIP

and also you can control the network security through the firewall normally

try this way and let me know

see the following link for configuration

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

please, Rate if helpful

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎07-29-2008 08:47 PM

you cant route based on source ip with firewall only with router possiable by PBR

you can make to static routes each one point to deffrent router with deffrent metric

in this case it will make the topology like active standby which not good in your case

but you can use sub interfaces on your ASA intis case make each subinterface in deffrent subnet and deffrent security level

and let each subinterface use deffrent hsrp instance

or there is another way

IF you dont use VPN on your ASA u can achive it by useing multiple context

in multiple context you gonna separate your firewall virtualy

so if you have two vlans in your inside network (two deffrent subnets)

then each subnet will use deffrent firewall virtually

u goona divide the internal interface to two subinterfaces

and you can use one outside interface shred between the context or also separate it to two subinterfaces

and allocate those interface to each context

so you gonna deal with each context as deffrent firewall

and you can use deffrent HSRP instance on each context

but with multiple context you cant use VPN on the firewall

*****use the following method*****

THE OTHER WAY WHICH ALSO I SUGIST YOU TO TRY IT WHICH IS THE Transparent Firewall

in the case your firewall will operate in L2 mode

so you can use the routers HSRP IPS AS there is no firewall in the path

which i thnk helpful in you case aslo

in transperante mode the defaultgate way for your client will be the hsrp IP because the firewall will not have any IPs exept for managment

also the useres will be in the same IP subnet as the gateway in your case HSRP VIP

and also you can control the network security through the firewall normally

try this way and let me know

see the following link for configuration

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

please, Rate if helpful

0 Helpful

Go to solution
scottwclarke
Level 1
Level 1
In response to Marwan ALshawi

‎07-31-2008 12:03 AM

Thank you the transparent mode worked perfectly.

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to scottwclarke

‎07-31-2008 01:27 AM

i am glad its working :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card