cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
817
Views
5
Helpful
12
Replies

Two internet connection with ASA

CSCO10320953
Level 1
Level 1

I have two Broad Band internet conection and two lan network.One lan network is using the one internet Connection and another lan using second internet connection.Already I am using the ASA for one internet connection.I want to connect the second internet onnection to the Asa.Is it possible? if yes,Kinldy give the idea

12 Replies 12

Thanks.But my case is diffrent,one lan network is using the first internet and another one should use the second internet through the ASA network.

I am not using any cisco Router .Asa and service provider modem is in the nework

You require Policy Based Routing here, which ASA unfortunately is insufficient to do

Though I find this article here , see of this helps ........

Lets say customer has above setup, with ISP1 being the Primary ISP and ISP2 being the Secondary ISP.

I'm assuming that you all know how ISP failback is configured and how it functions. To summarize, in ISP failback all traffic goes out

using ISP1 and if it fails, ASA/PIX starts routing traffic via ISP2.

Scenario I

==========

Now, customer does not want to configure ISP failback, but he needs to route Web (port 80,443) traffic via ISP2 and all other traffic

via ISP1. This requires PBR, which is not supported on ASA/PIX, but we can configure a workaround on ASA/PIX to make it work.

Following are the commands which will achieve it-

route ISP1 0 0 1.1.1.2 //Default route pointing to ISP1

route ISP2 0 0 2.2.2.2 2 //Default route with Metric 2 via ISP2

static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80

static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443

sysopt noproxyarp inside

nat (inside) 1 0 0

global (ISP1) 1 interface

global (ISP2) 1 interface

Thats it !! Now all the traffic destined to any address on port 80/443 will be forcibly put on ISP2 interface and routed from there.

Note: This stuff requires that we KNOW what the destination ports are, if there is some traffic which uses dynamic ports, like voice traffic we will have to route it via ISP1 and cannot make it route via ISP2.

Scenario II

===========

In the same setup, if customer says that he wants half traffic to go via ISP1 and half traffic via ISP2, first you need to explain customer that ASA is NOT a load-balancer or packet-shaper. Hence we cannot *truly* achieve this, but we may configure ASA in such a manner that traffic for some destination IP address is routed via ISP1 and some is routed via ISP2. Following would be configuration commands in this scenario-

nat (inside) 1 0 0

global (ISP1) 1 interface

global (ISP2) 1 interface

route ISP1 128.0.0.0 128.0.0.0 1.1.1.2

route ISP2 0.0.0.0 128.0.0.0 2.2.2.2

The first creates a default route that routes addresses with the first bit of 1 to 1.1.1.2 of ISP1.

The second creates a default route that routes addresses with the first bit of 0 to 2.2.2.2 of ISP2.

Note: This will do traffic routing based on *Destination* IP addresses and NOT based on traffic load. As I mentioned, ASA is NOT a packet-shaper.

Very good info.I need to connect the internet connection physically int the ASA.Already one internet connection is connected in the ASA and working fine because of ur(abinjola

) help.So two interface already used.I have only one inteface now beacuse fourth interface(0/3) is not showing in the ASA(int 0,1,2 available).How will the connect the second internet connection)

hello Kumaran,

Do rate all helpful posts and kindly mark them with a "check"/"Tick" so that other could refer that post and get some help

Appreciate it

J have done for proxy/mail server post(rating 5) which u have helped me lot. In the continuation I need to connect the internet connection physically in the ASA.(Proxy/mail server)Already one internet connection is connected in the ASA and working fine because of ur(abinjola ) help.So two interface already used.I have only one inteface now beacuse fourth interface(0/3) is not showing in the ASA(int 0,1,2 available).How will the connect the second internet connection).Pl reply back me

If you only have 3 interfaces, and you have already used, then you need to "Trunk" and "VLAN" the outside connections on a switch. You have have 1 physcial and many virtual interfaces.

Some pointers to help you along:-

http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/vlans.html

http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/ifcs5505.html

HTH>

do you have any physical Interface left on ASA to plug your 2ISP line there ?

If not, then you need to create another Interface on ASA, this would be logical Interface (VLAN)

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html

Gian Paolo
Level 1
Level 1

Possible solution:

ASA interfaces:

ISP1 1.1.1.3

ISP2 2.2.2.3

VLAN1 192.168.1.10

VLAN2 192.168.2.10

ISP1 router: 1.1.1.1

ISP2 router: 2.2.2.2

Target: VLAN1 goes out with ISP1 and VLAN2 with ISP2.

NAT rules:

static (ISP1,VLAN1) 192.168.1.1 1.1.1.1

static (ISP2,VLAN2) 192.168.2.1 2.2.2.2

nat (VLAN1) 1 0 0

nat (VLAN2) 2 0 0

global (ISP1) 1 interface

global (ISP2) 2 interface

VLAN1 gateway on hosts: 192.168.1.1

VLAN2 gateway on hosts: 192.168.2.1

Could it work? I'll try it in a lab asap.

UPDATE:

I've tried it in a lab, it doesn't work.

Now I'll reconfigure the ASA in multi context mode, it seems the only solution.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: