10-22-2009 08:11 PM - edited 03-11-2019 09:30 AM
How we can terminate two isp links in one single box of ASA 5510 , we have 4 ports on ASA , on which one we can give DMZ, one for LAN , one for UPlINK , one for Gateway , now tell me please how i can use my two isp link in same time , i have to take work from both isp's at a single time for different clients.
If any configuration provided then its very helpful to me.
Shridhar
10-23-2009 02:36 AM
Hi Shridhar,
You can create subinterfaces and connect one ISP to each subinterface.
Please note that ASA allows max of 3 default routes (equal cost) on same outgoing interface but not on different outgoing interfaces.
So add default route towards ISP_1 and add route for specific IP's pointing towards ISP_2.
Here is a brief on the subinterface config.
myFW(config)# int e0
myFW(config-if)# no shut
myFW(config-if)# int e0.10
myFW(config-subif)# vlan 10
myFW(config-subif)# nameif Out_ISP1
myFW(config-subif)# ip add 10.0.0.1 255.255.255.0
myFW(config-subif)# int e0.20
myFW(config-subif)# vlan 20
myFW(config-subif)# nameif Out_ISP2
myFW(config-subif)# ip add 20.0.0.1 255.255.255.0
route Out_ISP1 0 0 10.0.0.A
route Out_ISP2 x.x.x.x y.y.y.y 20.0.0.B
Hope this helps.
10-23-2009 02:40 AM
Hi Dhananjay ,
Then in this situation how i can take from two isp with one firewall , even in that case no meaning of sub-inter facing because i have to use two isp in same time and for some clients i have to use default gateway one and for others to one , do you have any solution in your mind.
Shridhar
10-23-2009 02:53 AM
ASA does not do load balancing.
You can have Redundant or Backup ISP links on the ASA but i dont think you can use both links at the same unless you have a router in front of the ASA multi homed your ISP links.
10-23-2009 02:58 AM
Hi ,
I have two router 1841 , one is ok but another ones serial and 1 FE module is gone ,and one l3 switch , and access switches 2950 , nw can you suggest me how i can use two isp at same time with these devices.
or tell me what else i have to purchase for this work. Low cost budget is mine. so please keep that in mind.
Thanks
shridhar
10-23-2009 02:55 AM
You can create 2 fw contexts on the ASA box and connect one ISP in each context, then route some of your users through one context and other users through another context.
However there are some limitations on the ASA box when you configure it in multi context mode - you will not be able to configure VPN's on the firewall and also dynamic routing.
10-23-2009 02:59 AM
Hi ,
Please let me know the context configuration or some line and what about vpn ..and tell with with context is there any effect on DMZ also..
Thanks
shridhar
10-23-2009 03:02 AM
Hi Shridhar,
you can refer to this link for configuration of contexts. There is no limitattions on creating DMZ and other zones.
10-23-2009 03:00 AM
I would not personally enabel multiple context on my Internet firewall the reason being as you mentioend you diabling lot of features from the ASA.
10-23-2009 03:02 AM
Then what is the solution please let me know ..
10-23-2009 03:11 AM
2 ways
1. As Francis suggested, place a router ahead of the ASA and terminate both the ISP's. You can share load on both the links. But I am not sure how you will make some users use 1st ISP and other users use 2nd ISP.
2. As I mentioned configure two firewall contexts on the ASA and route some users through one context and other users through other context.
It depends on you if at this point of time are you going to configure VPN on the ASA or use dynamic routing.
If at all you need to use VPN at a later stage, you can get a router or a vpn device and put it in the DMZ for configuring VPNS.
10-23-2009 03:50 AM
dhananjoy,
policy routing will do it. so base on policy rouitng ON THE ROUTER some users use 1st ISP and other users use 2nd ISP based on those users are on different subnet behind the ASA...
10-23-2009 03:19 AM
There are so many things you can do with a router that the ASA still won't do. You can terminate multiple links o the router and can route maps to load-balance with ISPs, use IP CEF, etc...and have your ASA behind your router with a default..
11-11-2009 10:41 AM
Hi Shridhar,
You can try this:
Terminating two ISPs on ASA/PIX-
ISP1------------------Internet
1.1.1.2 |
| |
| |
| |
1.1.1.1 |
PIX/ASA|2.2.2.1----2.2.2.2|ISP2
3.3.3.1
|
|
Internal Network
Lets say we has above setup, with ISP1 being the Primary ISP
and ISP2 being the Secondary ISP.
I'm assuming that you all know how ISP failback is configured and
how it functions. To summarize, in ISP failback all traffic goes out
using ISP1 and if it fails, ASA/PIX starts routing traffic via ISP2.
Scenario I
==========
Now, we do not want to configure ISP failback, but we needs
to route Web (port 80,443) traffic via ISP2 and all other traffic
via ISP1. This requires PBR, which is not supported on ASA/PIX, but
we can configure a workaround on ASA/PIX to make it work.
Following are the commands which will achieve it-
route ISP1 0 0 1.1.1.2 //Default route pointing to ISP1
route ISP2 0 0 2.2.2.2 2 //Default route with Metric 2 via ISP2
static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80
static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443
sysopt noproxyarp inside
nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface
Thats it !! Now all the traffic destined to any address on port 80/443
will be forcibly put on ISP2 interface and routed from there.
Note: This stuff requires that we KNOW what the destination ports are,
if there is some traffic which uses dynamic ports, like voice traffic
we will have to route it via ISP1 and cannot make it route via ISP2.
Scenario II
===========
In the same setup, if we say that we wants half traffic to go
via ISP1 and half traffic via ISP2, first we need to understand
that ASA is NOT a load-balancer or packet-shaper. Hence we cannot
*truly* achieve this, but we may configure ASA in such a manner that
traffic for some destination IP address is routed via ISP1 and some
is routed via ISP2. Following would be configuration commands in this
scenario-
nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface
route ISP1 128.0.0.0 128.0.0.0 1.1.1.2
route ISP2 0.0.0.0 128.0.0.0 2.2.2.2
The first creates a default route that routes addresses with the first
bit of 1 to 1.1.1.2 of ISP1.
The second creates a default route that routes addresses with the first
bit of 0 to 2.2.2.2 of ISP2.
Note: This will do traffic routing based on *Destination* IP addresses and
NOT based on traffic load. As I mentioned, ASA is NOT a packet-shaper.
Hope this helps!
Thanks,
Manish
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: