ASA with two Internet connections and wanting load-balancing and redundancy

Unanswered Question
Jul 6th, 2009

Hi All,

I have the following scenario:

I have an ASA that has 2 connections to the Internet (through different ISPs). The ASA has a different public IP address per interface (belonging to each ISP).

I have a Server (on the internal side of the ASA) that receives connections on port 3389.

The ASA is configured so that when internal connections come on each of its public IP addresses, to redirect the connection to the internal server if its received on port 3389.

Everything works.

The problem is the following:

I want that if the primary Internet connection fails, the remote offices can still access the server using the secondary Internet connection (meaning via the other public IP adress) without having to manually have the offices changing the IP address that they must use to reach the server.

Right now, the remote offices are accessing the server by IP address because we wanted to load-balance the traffic and have 4 remote offices to send the traffic via the primary Internet connection and the other 4 remote offices sending the traffic via the secondary Internet connection.

The question is:

How do I accomplish load balancing the traffic that comes from the remote offices and still accomplish to have redundancy in case one link fails to use the other?

I hope someone could help me with this.

Thank you!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Mon, 07/06/2009 - 13:07

1. DNS is an option but with that you will have limited success because of host record updates.

2. You could also create VPN tunnels and have the remote sites hit the internal IP instead of the public IP.

Hope this helps.

fedecotof Mon, 07/06/2009 - 13:18

Thank you!

Please correct me if I'm wrong...

1. I cannot use DNS because if all the 8 remote offices use DNS to reach the server, I lose the capability of load-balancing the connections. I want 4 remote offices to enter the primary Internet connection and the other 4 remote offices to enter the secondary Internet connection. I cannot accomplish this using DNS.

2. I think the VPN tunnel option is the only way but I was trying to avoid this one... but I guess is the only one correct?

Thank you again.

Collin Clark Mon, 07/06/2009 - 13:23

The DNS option is ugly. You would have to create two DNS entries-

For office 1&2 they would go to APP1.YOURDOMAIN.COM

For office 3&4 they would go to APP2.YOURDOMAIN.COM

If connection 1 goes down, you then have to change the DNS record for APP1.YOURDOMAIN.COM to APP2.YOURDOMAIN.COM

Of course you'll have to wait for DNS to propogate (assuming your using public DNS). It won't be as bad if you're internal DNS, but it's still a manual process to change the DNS record at the other offices. I think that VPN is your best option.

pompeychimes Mon, 07/06/2009 - 19:15

Do you have any Cisco gear (Routers, Firewalls, etc...) at the remote sites? Maybe we could setup a Virtual IP and do some poor man's load balancing?

fedecotof Mon, 07/06/2009 - 19:43

I have some 800s Router and ASAs 5505s at the remote sites...

How could we do that?


This Discussion