ASA 5520 - Adding New (Second ) ISP routing/NAT question

smartin · ‎06-10-2009

We are switching providers & need to know if I can route/NAT both providers at the same time.

By having both providers connected on different interfaces it would give me the ability to test the new ISP & would give me the flexibility to make changes to DNS.(we house several websites on our DMZ interface on the firewall)

Interfaces are

Outside (current ISP)

Outside2 (new ISP)

DMZ (Web servers)

Can anyone provide white papers.

Thanks in advance

Farrukh Haroon · ‎06-11-2009

The problem is that the Cisco ASA does not support multiple default routes pointing out two separate interfaces. Neither does it support PBR. You can have a active/backup configuration tough:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Regards

Farrukh

smartin · ‎06-11-2009

Could I have two ISP's coming in but going out through one ISP ?

Farrukh Haroon · ‎06-11-2009

As far as routing is concerned, yes. But the problem is that the NAT function (at least the static) is bi-directional. So traffic from the internal source will be translated to the 'passive' ISPs mapped IP (public IP). But it will be routed out the primary ISP. Whether this would work, depends on how your ISP is configured (Access-lists etc). Its worth a try tough.

Regards

Farrukh