10-07-2008 06:21 AM - edited 03-11-2019 06:54 AM
I have two Broad Band internet conection and two lan network.One lan network is using the one internet Connection and another lan using second internet connection.Already I am using the ASA for one internet connection.I want to connect the second internet onnection to the Asa.Is it possible? if yes,Kinldy give the idea
10-07-2008 06:53 AM
10-08-2008 02:12 AM
Thanks.But my case is diffrent,one lan network is using the first internet and another one should use the second internet through the ASA network.
10-08-2008 02:34 AM
10-08-2008 02:46 AM
I am not using any cisco Router .Asa and service provider modem is in the nework
10-08-2008 04:03 AM
You require Policy Based Routing here, which ASA unfortunately is insufficient to do
Though I find this article here , see of this helps ........
Lets say customer has above setup, with ISP1 being the Primary ISP and ISP2 being the Secondary ISP.
I'm assuming that you all know how ISP failback is configured and how it functions. To summarize, in ISP failback all traffic goes out
using ISP1 and if it fails, ASA/PIX starts routing traffic via ISP2.
Scenario I
==========
Now, customer does not want to configure ISP failback, but he needs to route Web (port 80,443) traffic via ISP2 and all other traffic
via ISP1. This requires PBR, which is not supported on ASA/PIX, but we can configure a workaround on ASA/PIX to make it work.
Following are the commands which will achieve it-
route ISP1 0 0 1.1.1.2 //Default route pointing to ISP1
route ISP2 0 0 2.2.2.2 2 //Default route with Metric 2 via ISP2
static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80
static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443
sysopt noproxyarp inside
nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface
Thats it !! Now all the traffic destined to any address on port 80/443 will be forcibly put on ISP2 interface and routed from there.
Note: This stuff requires that we KNOW what the destination ports are, if there is some traffic which uses dynamic ports, like voice traffic we will have to route it via ISP1 and cannot make it route via ISP2.
Scenario II
===========
In the same setup, if customer says that he wants half traffic to go via ISP1 and half traffic via ISP2, first you need to explain customer that ASA is NOT a load-balancer or packet-shaper. Hence we cannot *truly* achieve this, but we may configure ASA in such a manner that traffic for some destination IP address is routed via ISP1 and some is routed via ISP2. Following would be configuration commands in this scenario-
nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface
route ISP1 128.0.0.0 128.0.0.0 1.1.1.2
route ISP2 0.0.0.0 128.0.0.0 2.2.2.2
The first creates a default route that routes addresses with the first bit of 1 to 1.1.1.2 of ISP1.
The second creates a default route that routes addresses with the first bit of 0 to 2.2.2.2 of ISP2.
Note: This will do traffic routing based on *Destination* IP addresses and NOT based on traffic load. As I mentioned, ASA is NOT a packet-shaper.
10-08-2008 04:45 AM
Very good info.I need to connect the internet connection physically int the ASA.Already one internet connection is connected in the ASA and working fine because of ur(abinjola
) help.So two interface already used.I have only one inteface now beacuse fourth interface(0/3) is not showing in the ASA(int 0,1,2 available).How will the connect the second internet connection)
10-08-2008 04:51 AM
hello Kumaran,
Do rate all helpful posts and kindly mark them with a "check"/"Tick" so that other could refer that post and get some help
Appreciate it
10-09-2008 01:51 AM
J have done for proxy/mail server post(rating 5) which u have helped me lot. In the continuation I need to connect the internet connection physically in the ASA.(Proxy/mail server)Already one internet connection is connected in the ASA and working fine because of ur(abinjola ) help.So two interface already used.I have only one inteface now beacuse fourth interface(0/3) is not showing in the ASA(int 0,1,2 available).How will the connect the second internet connection).Pl reply back me
10-09-2008 02:01 AM
If you only have 3 interfaces, and you have already used, then you need to "Trunk" and "VLAN" the outside connections on a switch. You have have 1 physcial and many virtual interfaces.
Some pointers to help you along:-
http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/vlans.html
http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/ifcs5505.html
HTH>
10-10-2008 12:43 AM
do you have any physical Interface left on ASA to plug your 2ISP line there ?
If not, then you need to create another Interface on ASA, this would be logical Interface (VLAN)
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html
11-24-2008 09:25 AM
Possible solution:
ASA interfaces:
ISP1 1.1.1.3
ISP2 2.2.2.3
VLAN1 192.168.1.10
VLAN2 192.168.2.10
ISP1 router: 1.1.1.1
ISP2 router: 2.2.2.2
Target: VLAN1 goes out with ISP1 and VLAN2 with ISP2.
NAT rules:
static (ISP1,VLAN1) 192.168.1.1 1.1.1.1
static (ISP2,VLAN2) 192.168.2.1 2.2.2.2
nat (VLAN1) 1 0 0
nat (VLAN2) 2 0 0
global (ISP1) 1 interface
global (ISP2) 2 interface
VLAN1 gateway on hosts: 192.168.1.1
VLAN2 gateway on hosts: 192.168.2.1
Could it work? I'll try it in a lab asap.
12-02-2008 12:06 AM
UPDATE:
I've tried it in a lab, it doesn't work.
Now I'll reconfigure the ASA in multi context mode, it seems the only solution.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: