11-03-2009 08:19 AM - edited 03-04-2019 06:35 AM
I have a client whom is currently suffering from lack of bandwidth. They get constant complaints from users that the Internet is slow.
The current connection for the company is Dual homed. They have 1 T1 inbound from AT&T and another one from XO communications. These two routers run an HSRP address between them (hypothetical 205.237.229.1) on their Ethernet interfaces (hypothetical 205.237.229.2 and .3)so that the ASA appliance can talk to one address. The outside interface of the ASA is (hypothetical 205.237.229.4).
One of the managers at this company wants to implement another DSL solution that will add 3MG of bandwidth to the Issue and I need to figure out how to Integrate this.
Can I implement two IP addresses on the outside interface of the ASA? Also right now the ASA has a 0.0.0.0 0.0.0.0 route to the Internet router HSRP address of the current network. Can I add a second 0.0.0.0 route to the new address of the new DSL router? Will the ASA load balance?
I am not exactly sure how to implement this. I have added a diagram if anyone can help figure this out.
Thanks
Kevin
11-03-2009 08:38 AM
Hello Kevin,
the ASA should be able to support two default static routes but only if all next-hops are in the same interface.
egress interface can only be one being this a firewall.
on the other end if secondary ip addresses are not supported you should put all on the same IP subnet.
>> After selecting egress interface using any method described above, an additional route lookup is performed to find out suitable next hop(s) that belong to previously selected egress interface
see
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1118242
looking at command reference
unfortunately I don't see any secondary option:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i3.html#wp1825348
so the requirement is to put all devices in the same IP subnet associated to outside interface.
multiple default static routes with different IP next-hops should be supported as explained in first link to config guide.
Hope to help
Giuseppe
11-06-2009 10:47 PM
Kevin--
Maybe you can place a router between the ASA and the ISP connections. On that router, you can run policy based routing to select appropriate paths depending upon the type of traffic you have.
For example, we send our web browsing, FTP and VPN client traffic out our high-speed Internet connection and the rest of the traffic (e.g. email) out the T-1.
cjw
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide