Firewall ISP Support

Unanswered Question
Dec 31st, 2008
User Badges:

I have a ASA 5540,and i have one ISP connect to it with outside interface and now i want to connect a 2 mbps another isp line to them is it poosible to connect with the use of extended 4ge ssm card.can a firewall support to ISP at a time.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
chetansharma Thu, 01/01/2009 - 21:01
User Badges:

But i wan to know that can a firewall support two ISP at a time.means if i will use 4ge ssm(with 4 extra ethernet ports) card in Asa 5540 can i connect two different ISP to the firewall.i thnk it is not becoz at a time how two different traffic can process.

chetansharma Fri, 01/02/2009 - 03:58
User Badges:

Thanks


means i can connect two different isp(1mbps and 2 mbps) link on a firewall(ASA 5540) at a time and both will work simultaneously and i also want different zones(like inside,dmz) for both the links ...Is it possible???

To load balance outbound over the 2 x ISP's then the equal cost default routes should be cool. If you want to connect them to seperate zones, then this would only effect the inbound traffic over the links.


You are going to have to think about what you want to do with that, but should be cool.


HTH>

chetansharma Fri, 01/02/2009 - 20:15
User Badges:

THANKS


See whats the scenario is there i have 1MBPS ISP line connected to my ASA 5540 and everything like internet web hosting,applications all are working fine,but without disturbing the present scenario i want to add another 2 MBPS ISP line to the ASA 5540 to host another applications of new project.Is it poosible... becoz there is no more port available on asa and if i upgrade ASA with a card 4GE SSM,can both work simultaneously without affecting traffic.

Yes.


Another solution would be if you have a cisco or any switch that can perform a do1q trunk, would be to connect the current 1MPS circuit to a cisco switch and create a specific vlan for that ISP connection. Then when you get the other ISP connection - create and connect it into another vlan.


Then connect the outside of the ASA to the switch and make the switch port a trunk port to the ASA. Then you create a sub-interface on the outside interface of the ASA.


You don't need the 4GE card, BUT if the switch is faulty - you could possible loss both connections.


HTH>

chetansharma Sat, 01/03/2009 - 03:13
User Badges:

Thanks a lot

ok means i can upgrade my firewall with a card 4ge and everything will work fine, i will go for this becoz firewall is in failover(active\standby)..so redundancy is thr.

If u have any suggestion pls go ahead.

Thanks

victor_87 Sat, 01/03/2009 - 06:11
User Badges:

I would suggest you go for the MULTIPLE_CONTEXT mode on your Cisco ASA, As you mentioned that you are using a 5540 ASA and also running failover, i assume that you either have the Security plus license or the vpn Plus license installed on it.

To the best of my knowledge both these licenses support MULTIPLE_CONTEXT modes.


You can either go for a SSM card for the additional ports or if you want to do some cost saving you can use subinterfaces and VLANS on the ASA, with each subinterfaces lying in a different CONTEXTS serving a completely different set of users or applications.


If you really want to get to the pinaccle of the configuration, you can go ahead and try ACTIVE/ACTIVE failover for the 2 contexts.



for multiple-context condig you can refer :


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml


and for Active/Active failover you can refer:


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml



Active/active failover has several limitations, read the document carefully before you proceed.




Rate if helpful.




chetansharma Sun, 01/04/2009 - 02:35
User Badges:

i am unable to create sub-inerface on my asa 5540.Failover is active/stand-by.How can i create sunb-interface and vlan in ASA 5540.

victor_87 Sun, 01/04/2009 - 04:04
User Badges:

Both the links i have posted above have resources about creating sub-interfaces on the ASA. It would be better if you read the documents first , understand then and then proceed in the direction you are moving in.


Doing something without understanding what is being done will put you in trouble.

Actions

This Discussion