ASA - External Interface / BGP

Answered Question
Mar 1st, 2010

I have attached my network diagram in a pdf.

My ASA is configured with two outside interfaces

One to each ISP.
Each ISP router is getting a default route from provider.

I am currently using HSRP between the two routers on the inside interface on BVI interfaces of the routers.

I have a static default route configured on the ASA for ISP #1 HSRP's address.

I have IBGP running between the two routers.

I have a local weight preference on each router to take its own ISP out.

I want to utilize ISP #2 more and have created a few static default routes out that HSRP address.

Should I do away with one of the outside interfaces on the ASA?

What is the best way to handle the routing on the outside of the ASA?

Attachment: 
I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 6 years 9 months ago

Hello Trippi,

>> My ASA is configured with two outside interfaces

this can be a problem. ASA can perform load balancing towards different next-hops that are out the SAME interface.

The ASA is a FW first, so the outgoing interface is chosen by the FW xlate according to its configuration.

see

>> Load sharing on the adaptive security appliance is  possible only for multiple next-hops available using single egress  interface.  Load sharing cannot share multiple egress interfaces.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_overview.html#wp1095679

I would suggest you to review your design in order to have a single outside interface to reach both  routers

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Fri, 03/05/2010 - 01:31

Hello Trippi,

>> My ASA is configured with two outside interfaces

this can be a problem. ASA can perform load balancing towards different next-hops that are out the SAME interface.

The ASA is a FW first, so the outgoing interface is chosen by the FW xlate according to its configuration.

see

>> Load sharing on the adaptive security appliance is  possible only for multiple next-hops available using single egress  interface.  Load sharing cannot share multiple egress interfaces.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_overview.html#wp1095679

I would suggest you to review your design in order to have a single outside interface to reach both  routers

Hope to help

Giuseppe

Actions

This Discussion