ASA - External Interface / BGP

Answered Question
Mar 1st, 2010
User Badges:

I have attached my network diagram in a pdf.

My ASA is configured with two outside interfaces

One to each ISP.
Each ISP router is getting a default route from provider.

I am currently using HSRP between the two routers on the inside interface on BVI interfaces of the routers.

I have a static default route configured on the ASA for ISP #1 HSRP's address.

I have IBGP running between the two routers.


I have a local weight preference on each router to take its own ISP out.


I want to utilize ISP #2 more and have created a few static default routes out that HSRP address.


Should I do away with one of the outside interfaces on the ASA?


What is the best way to handle the routing on the outside of the ASA?

Attachment: 
Correct Answer by Giuseppe Larosa about 7 years 1 month ago

Hello Trippi,


>> My ASA is configured with two outside interfaces


this can be a problem. ASA can perform load balancing towards different next-hops that are out the SAME interface.


The ASA is a FW first, so the outgoing interface is chosen by the FW xlate according to its configuration.


see

>> Load sharing on the adaptive security appliance is  possible only for multiple next-hops available using single egress  interface.  Load sharing cannot share multiple egress interfaces.


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_overview.html#wp1095679


I would suggest you to review your design in order to have a single outside interface to reach both  routers


Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Fri, 03/05/2010 - 01:31
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Trippi,


>> My ASA is configured with two outside interfaces


this can be a problem. ASA can perform load balancing towards different next-hops that are out the SAME interface.


The ASA is a FW first, so the outgoing interface is chosen by the FW xlate according to its configuration.


see

>> Load sharing on the adaptive security appliance is  possible only for multiple next-hops available using single egress  interface.  Load sharing cannot share multiple egress interfaces.


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_overview.html#wp1095679


I would suggest you to review your design in order to have a single outside interface to reach both  routers


Hope to help

Giuseppe

Actions

This Discussion