Firewall ISP Support

Unanswered Question
Dec 31st, 2008

I have a ASA 5540,and i have one ISP connect to it with outside interface and now i want to connect a 2 mbps another isp line to them is it poosible to connect with the use of extended 4ge ssm card.can a firewall support to ISP at a time.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
chetansharma Thu, 01/01/2009 - 21:01

But i wan to know that can a firewall support two ISP at a time.means if i will use 4ge ssm(with 4 extra ethernet ports) card in Asa 5540 can i connect two different ISP to the firewall.i thnk it is not becoz at a time how two different traffic can process.

chetansharma Fri, 01/02/2009 - 03:58

Thanks

means i can connect two different isp(1mbps and 2 mbps) link on a firewall(ASA 5540) at a time and both will work simultaneously and i also want different zones(like inside,dmz) for both the links ...Is it possible???

chetansharma Fri, 01/02/2009 - 20:15

THANKS

See whats the scenario is there i have 1MBPS ISP line connected to my ASA 5540 and everything like internet web hosting,applications all are working fine,but without disturbing the present scenario i want to add another 2 MBPS ISP line to the ASA 5540 to host another applications of new project.Is it poosible... becoz there is no more port available on asa and if i upgrade ASA with a card 4GE SSM,can both work simultaneously without affecting traffic.

Yes.

Another solution would be if you have a cisco or any switch that can perform a do1q trunk, would be to connect the current 1MPS circuit to a cisco switch and create a specific vlan for that ISP connection. Then when you get the other ISP connection - create and connect it into another vlan.

Then connect the outside of the ASA to the switch and make the switch port a trunk port to the ASA. Then you create a sub-interface on the outside interface of the ASA.

You don't need the 4GE card, BUT if the switch is faulty - you could possible loss both connections.

HTH>

chetansharma Sat, 01/03/2009 - 03:13

Thanks a lot

ok means i can upgrade my firewall with a card 4ge and everything will work fine, i will go for this becoz firewall is in failover(active\standby)..so redundancy is thr.

If u have any suggestion pls go ahead.

Thanks

victor_87 Sat, 01/03/2009 - 06:11

I would suggest you go for the MULTIPLE_CONTEXT mode on your Cisco ASA, As you mentioned that you are using a 5540 ASA and also running failover, i assume that you either have the Security plus license or the vpn Plus license installed on it.

To the best of my knowledge both these licenses support MULTIPLE_CONTEXT modes.

You can either go for a SSM card for the additional ports or if you want to do some cost saving you can use subinterfaces and VLANS on the ASA, with each subinterfaces lying in a different CONTEXTS serving a completely different set of users or applications.

If you really want to get to the pinaccle of the configuration, you can go ahead and try ACTIVE/ACTIVE failover for the 2 contexts.

for multiple-context condig you can refer :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml

and for Active/Active failover you can refer:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml

Active/active failover has several limitations, read the document carefully before you proceed.

Rate if helpful.

chetansharma Sun, 01/04/2009 - 02:35

i am unable to create sub-inerface on my asa 5540.Failover is active/stand-by.How can i create sunb-interface and vlan in ASA 5540.

victor_87 Sun, 01/04/2009 - 04:04

Both the links i have posted above have resources about creating sub-interfaces on the ASA. It would be better if you read the documents first , understand then and then proceed in the direction you are moving in.

Doing something without understanding what is being done will put you in trouble.

Actions

This Discussion