Two internet connection with ASA

Unanswered Question
Oct 7th, 2008

I have two Broad Band internet conection and two lan network.One lan network is using the one internet Connection and another lan using second internet connection.Already I am using the ASA for one internet connection.I want to connect the second internet onnection to the Asa.Is it possible? if yes,Kinldy give the idea

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
CSCO10320953 Wed, 10/08/2008 - 02:12

Thanks.But my case is diffrent,one lan network is using the first internet and another one should use the second internet through the ASA network.

CSCO10320953 Wed, 10/08/2008 - 02:46

I am not using any cisco Router .Asa and service provider modem is in the nework

abinjola Wed, 10/08/2008 - 04:03

You require Policy Based Routing here, which ASA unfortunately is insufficient to do


Though I find this article here , see of this helps ........


Lets say customer has above setup, with ISP1 being the Primary ISP and ISP2 being the Secondary ISP.


I'm assuming that you all know how ISP failback is configured and how it functions. To summarize, in ISP failback all traffic goes out

using ISP1 and if it fails, ASA/PIX starts routing traffic via ISP2.


Scenario I

==========


Now, customer does not want to configure ISP failback, but he needs to route Web (port 80,443) traffic via ISP2 and all other traffic

via ISP1. This requires PBR, which is not supported on ASA/PIX, but we can configure a workaround on ASA/PIX to make it work.


Following are the commands which will achieve it-


route ISP1 0 0 1.1.1.2 //Default route pointing to ISP1

route ISP2 0 0 2.2.2.2 2 //Default route with Metric 2 via ISP2


static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80

static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443


sysopt noproxyarp inside


nat (inside) 1 0 0

global (ISP1) 1 interface

global (ISP2) 1 interface


Thats it !! Now all the traffic destined to any address on port 80/443 will be forcibly put on ISP2 interface and routed from there.


Note: This stuff requires that we KNOW what the destination ports are, if there is some traffic which uses dynamic ports, like voice traffic we will have to route it via ISP1 and cannot make it route via ISP2.


Scenario II

===========


In the same setup, if customer says that he wants half traffic to go via ISP1 and half traffic via ISP2, first you need to explain customer that ASA is NOT a load-balancer or packet-shaper. Hence we cannot *truly* achieve this, but we may configure ASA in such a manner that traffic for some destination IP address is routed via ISP1 and some is routed via ISP2. Following would be configuration commands in this scenario-


nat (inside) 1 0 0

global (ISP1) 1 interface

global (ISP2) 1 interface


route ISP1 128.0.0.0 128.0.0.0 1.1.1.2

route ISP2 0.0.0.0 128.0.0.0 2.2.2.2


The first creates a default route that routes addresses with the first bit of 1 to 1.1.1.2 of ISP1.


The second creates a default route that routes addresses with the first bit of 0 to 2.2.2.2 of ISP2.


Note: This will do traffic routing based on *Destination* IP addresses and NOT based on traffic load. As I mentioned, ASA is NOT a packet-shaper.


CSCO10320953 Wed, 10/08/2008 - 04:45

Very good info.I need to connect the internet connection physically int the ASA.Already one internet connection is connected in the ASA and working fine because of ur(abinjola

) help.So two interface already used.I have only one inteface now beacuse fourth interface(0/3) is not showing in the ASA(int 0,1,2 available).How will the connect the second internet connection)

abinjola Wed, 10/08/2008 - 04:51

hello Kumaran,


Do rate all helpful posts and kindly mark them with a "check"/"Tick" so that other could refer that post and get some help


Appreciate it

CSCO10320953 Thu, 10/09/2008 - 01:51

J have done for proxy/mail server post(rating 5) which u have helped me lot. In the continuation I need to connect the internet connection physically in the ASA.(Proxy/mail server)Already one internet connection is connected in the ASA and working fine because of ur(abinjola ) help.So two interface already used.I have only one inteface now beacuse fourth interface(0/3) is not showing in the ASA(int 0,1,2 available).How will the connect the second internet connection).Pl reply back me

Gian Paolo Boarina Mon, 11/24/2008 - 09:25

Possible solution:


ASA interfaces:

ISP1 1.1.1.3

ISP2 2.2.2.3

VLAN1 192.168.1.10

VLAN2 192.168.2.10


ISP1 router: 1.1.1.1

ISP2 router: 2.2.2.2


Target: VLAN1 goes out with ISP1 and VLAN2 with ISP2.


NAT rules:

static (ISP1,VLAN1) 192.168.1.1 1.1.1.1

static (ISP2,VLAN2) 192.168.2.1 2.2.2.2

nat (VLAN1) 1 0 0

nat (VLAN2) 2 0 0

global (ISP1) 1 interface

global (ISP2) 2 interface


VLAN1 gateway on hosts: 192.168.1.1

VLAN2 gateway on hosts: 192.168.2.1


Could it work? I'll try it in a lab asap.

Gian Paolo Boarina Tue, 12/02/2008 - 00:06

UPDATE:

I've tried it in a lab, it doesn't work.

Now I'll reconfigure the ASA in multi context mode, it seems the only solution.

Actions

This Discussion