Two isp connection to one single box of ASA 5510

Unanswered Question
Oct 22nd, 2009

How we can terminate two isp links in one single box of ASA 5510 , we have 4 ports on ASA , on which one we can give DMZ, one for LAN , one for UPlINK , one for Gateway , now tell me please how i can use my two isp link in same time , i have to take work from both isp's at a single time for different clients.


If any configuration provided then its very helpful to me.


Shridhar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dhananjoy chowdhury Fri, 10/23/2009 - 02:36

Hi Shridhar,


You can create subinterfaces and connect one ISP to each subinterface.

Please note that ASA allows max of 3 default routes (equal cost) on same outgoing interface but not on different outgoing interfaces.

So add default route towards ISP_1 and add route for specific IP's pointing towards ISP_2.



Here is a brief on the subinterface config.

myFW(config)# int e0

myFW(config-if)# no shut


myFW(config-if)# int e0.10

myFW(config-subif)# vlan 10

myFW(config-subif)# nameif Out_ISP1

myFW(config-subif)# ip add 10.0.0.1 255.255.255.0


myFW(config-subif)# int e0.20

myFW(config-subif)# vlan 20

myFW(config-subif)# nameif Out_ISP2

myFW(config-subif)# ip add 20.0.0.1 255.255.255.0


route Out_ISP1 0 0 10.0.0.A

route Out_ISP2 x.x.x.x y.y.y.y 20.0.0.B


Hope this helps.




shridhar76 Fri, 10/23/2009 - 02:40

Hi Dhananjay ,


Then in this situation how i can take from two isp with one firewall , even in that case no meaning of sub-inter facing because i have to use two isp in same time and for some clients i have to use default gateway one and for others to one , do you have any solution in your mind.


Shridhar

shridhar76 Fri, 10/23/2009 - 02:58

Hi ,


I have two router 1841 , one is ok but another ones serial and 1 FE module is gone ,and one l3 switch , and access switches 2950 , nw can you suggest me how i can use two isp at same time with these devices.


or tell me what else i have to purchase for this work. Low cost budget is mine. so please keep that in mind.

Thanks

shridhar

dhananjoy chowdhury Fri, 10/23/2009 - 02:55

You can create 2 fw contexts on the ASA box and connect one ISP in each context, then route some of your users through one context and other users through another context.


However there are some limitations on the ASA box when you configure it in multi context mode - you will not be able to configure VPN's on the firewall and also dynamic routing.

shridhar76 Fri, 10/23/2009 - 02:59

Hi ,


Please let me know the context configuration or some line and what about vpn ..and tell with with context is there any effect on DMZ also..


Thanks

shridhar

francisco_1 Fri, 10/23/2009 - 03:00

I would not personally enabel multiple context on my Internet firewall the reason being as you mentioend you diabling lot of features from the ASA.

dhananjoy chowdhury Fri, 10/23/2009 - 03:11

2 ways


1. As Francis suggested, place a router ahead of the ASA and terminate both the ISP's. You can share load on both the links. But I am not sure how you will make some users use 1st ISP and other users use 2nd ISP.


2. As I mentioned configure two firewall contexts on the ASA and route some users through one context and other users through other context.

It depends on you if at this point of time are you going to configure VPN on the ASA or use dynamic routing.

If at all you need to use VPN at a later stage, you can get a router or a vpn device and put it in the DMZ for configuring VPNS.

francisco_1 Fri, 10/23/2009 - 03:50

dhananjoy,


policy routing will do it. so base on policy rouitng ON THE ROUTER some users use 1st ISP and other users use 2nd ISP based on those users are on different subnet behind the ASA...

francisco_1 Fri, 10/23/2009 - 03:19

There are so many things you can do with a router that the ASA still won't do. You can terminate multiple links o the router and can route maps to load-balance with ISPs, use IP CEF, etc...and have your ASA behind your router with a default..

mkharban Wed, 11/11/2009 - 10:41

Hi Shridhar,


You can try this:


Terminating two ISPs on ASA/PIX-



ISP1------------------Internet

1.1.1.2 |

| |

| |

| |

1.1.1.1 |

PIX/ASA|2.2.2.1----2.2.2.2|ISP2

3.3.3.1

|

|

Internal Network


Lets say we has above setup, with ISP1 being the Primary ISP

and ISP2 being the Secondary ISP.


I'm assuming that you all know how ISP failback is configured and

how it functions. To summarize, in ISP failback all traffic goes out

using ISP1 and if it fails, ASA/PIX starts routing traffic via ISP2.


Scenario I

==========


Now, we do not want to configure ISP failback, but we needs

to route Web (port 80,443) traffic via ISP2 and all other traffic

via ISP1. This requires PBR, which is not supported on ASA/PIX, but

we can configure a workaround on ASA/PIX to make it work.


Following are the commands which will achieve it-


route ISP1 0 0 1.1.1.2 //Default route pointing to ISP1

route ISP2 0 0 2.2.2.2 2 //Default route with Metric 2 via ISP2


static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80

static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443


sysopt noproxyarp inside


nat (inside) 1 0 0

global (ISP1) 1 interface

global (ISP2) 1 interface


Thats it !! Now all the traffic destined to any address on port 80/443

will be forcibly put on ISP2 interface and routed from there.


Note: This stuff requires that we KNOW what the destination ports are,

if there is some traffic which uses dynamic ports, like voice traffic

we will have to route it via ISP1 and cannot make it route via ISP2.


Scenario II

===========


In the same setup, if we say that we wants half traffic to go

via ISP1 and half traffic via ISP2, first we need to understand

that ASA is NOT a load-balancer or packet-shaper. Hence we cannot

*truly* achieve this, but we may configure ASA in such a manner that

traffic for some destination IP address is routed via ISP1 and some

is routed via ISP2. Following would be configuration commands in this

scenario-



nat (inside) 1 0 0

global (ISP1) 1 interface

global (ISP2) 1 interface


route ISP1 128.0.0.0 128.0.0.0 1.1.1.2

route ISP2 0.0.0.0 128.0.0.0 2.2.2.2


The first creates a default route that routes addresses with the first

bit of 1 to 1.1.1.2 of ISP1.


The second creates a default route that routes addresses with the first

bit of 0 to 2.2.2.2 of ISP2.


Note: This will do traffic routing based on *Destination* IP addresses and

NOT based on traffic load. As I mentioned, ASA is NOT a packet-shaper.


Hope this helps!


Thanks,

Manish

Actions

This Discussion