ASA 5505 Security Plus dual ISP

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 04/06/2010 - 13:53

Hi,

If you have the ASA 5505 with Security Plus, then you can have the normal INSIDE and OUTSIDE interface as well as a full-working DMZ.

Also, you can have up to 20 VLANs with trunking enabled.

You can have several ISPs, for example use the outside and DMZ interfaces as ISP interfaces.

How many ISPs are you planning to have and are they going to terminate directly on the ASA itself?

Federico.

Federico Coto F... Tue, 04/06/2010 - 14:09

The Cisco ASA 5505 features a flexible 8-port 10/100 Fast Ethernet switch, whose ports can be dynamically
grouped to create up to three separate VLANs for home, business, and Internet traffic for improved network segmentation and security

The Security Plus license enables the Cisco ASA 5505 to scale to support a higher connection capacity and up to 25
IPsec VPN users, add full DMZ support, and integrate into switched network environments
through VLAN trunking support. Furthermore, this upgrade license maximizes business continuity
by enabling support for redundant ISP connections and stateless Active/Standby high-availability services.

Trunking enabled means that you can use the integrated 8-port 10/100 as InterVLAN routing.

The 5505 will support two ISPs directly connected.

Federico.

So 2 ISP only.... but in a failover configuration

only or I can use both at the sime time ?

What I'm trying to accomplish is :

VLAN 0 "inside"  - 30 computers with internet access

VLAN 1 "ipphones" - 15 IP phones

VLAN 2 - outside 1 - T1 from provider 1

VLAN 3 - outside 2 - T1 from provider 2

I want VLAN 0 to use T1 fromp provider 1 and VLAN 1 (IP phones) to be dedicated to T1 provider 2

DSL might be a backup connection if possible.....

Is it possible ?

Federico Coto F... Tue, 04/06/2010 - 15:01

Hi,

You can do that.

Keep in mind that you have three physical layer 3 working interfaces on the ASA.

So, you can use the INSIDE for the local LAN.

The OUTSIDE for one ISP.

The DMZ (divided in two VLANs for two ISPs).

Important is that the ASA is not a router and there are restrictions in terms of default gateways on the ASA.

Federico.

b.gamble Wed, 04/28/2010 - 08:03

Along these same lines I'm going to have a dual-ISP scenario.

I'll have the "outside" interface hooked up to our commodity Internet.

The "inside" interface will be connected to our LAN.

The 3rd interface will be connecting to another network running OSPF/EIGRP. Will this 3rd interface support a routing protocol running on it and give me full access rather than any sort of restricted DMZ access?

Federico Coto F... Wed, 04/28/2010 - 08:07

If you have the Security Plus license on the 5505, then you have 3 full routed interfaces that you can use.

The restriction comes down to routing.

For example, you cannot have two default gateways on the ASA for internet access with the same metric via two different interfaces.

You can have up to three default gateways on the ASA with the same metric (if they belong to the same interface).

Take a look:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_static.html#wp1119601

Federico.

astripat Wed, 04/28/2010 - 08:34

Hi Adam,

Apart from what have been stated, You can configure dual isp using the following link:

http://www.cisco.com/warp/public/110/pix-dual-isp.html

Now, if you do not want to configure ISP failback, then these are the scenarios with two ISPs:

Scenario I
==========

Now, if you does not want to configure ISP failback, but you need  to route Web (port 80,443) traffic via ISP2 and all other traffic
via ISP1. This requires PBR, which is not supported on ASA/PIX, but we can configure a workaround on ASA/PIX to make it work.

Following are the commands which will achieve it-

route ISP1 0 0 1.1.1.2  //Default route pointing to ISP1
route ISP2 0 0 2.2.2.2 2  //Default route with Metric 2 via ISP2

static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80
static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443

sysopt noproxyarp inside

nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface

Thats it !! Now all the traffic destined to any address on port 80/443 will be forcibly put on ISP2 interface and routed from there.

Note: This stuff requires that we KNOW what the destination ports are, if there is some traffic which uses dynamic ports, like voice traffic
      we will have to route it via ISP1 and cannot make it route via ISP2.

Scenario II
===========

In the same setup, if you want the half traffic to go via ISP1 and half traffic via ISP2, then, first I'll tell you that that ASA is NOT a load-balancer or packet-shaper. Hence we cannot  *truly* achieve this, but we may configure ASA in such a manner that traffic for some destination IP address is routed via ISP1 and some is routed via ISP2.

Following would be configuration commands in this scenario-


nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface

route ISP1 128.0.0.0 128.0.0.0 1.1.1.2
route ISP2 0.0.0.0 128.0.0.0 2.2.2.2

The first creates a default route that routes addresses with the first  bit of 1 to 1.1.1.2 of ISP1.

The second creates a default route that routes addresses with the first bit of 0 to 2.2.2.2 of ISP2.

Note: This will do traffic routing based on *Destination* IP addresses and NOT based on traffic load. As I mentioned, ASA is NOT a packet-shaper.

HTH

Regards,

Ashu

mynet4lab Mon, 08/16/2010 - 11:18

Hi Ashu,

Thanks for the trick and I glad to hit this page from Google search engine I had configured my ASA 5505 with dual ISP link and it work as expected. I have followed your Scenario 1 and it does the trick . I only chance my running-config is adding static statement nothing else. I had confirmed my dual ISP link is still failover if either one is goes down.

Best regards,

Vince

raycwinter Thu, 08/19/2010 - 09:12

Would the second scenario work if I would want the second ISP to connect only to IP address xxx.yyy.zzz.85, xxx.yyy.zzz.86, and xxx.yyy.zzz.87 and all other traffic to go thru the first ISP?

If so, what would the configuration look like?

Thanks.

andhingr Thu, 08/19/2010 - 10:50

It all depends upon your routing configured on ASA. For outbound traffic the routing will specify which next hop to use for certain destinations and use the default route for ISP2. The inbound traffic will be controlled on ISP side.

edgard.rodriguez Wed, 12/08/2010 - 09:29

Hello Ashu,

I have a question

The first creates a default route that routes addresses with the first  bit of 1 to 1.1.1.2 of ISP1

When ou said that the first one create a route address with the fisrt bit of 1 to 1.1.1.2 what do you mean? I want to use this scenario to route 192.168.1.0/24 to the ISP1 with a specific destinations, no just one but a few destinations ips.

For example:

route ISP2 0.0.0.0 128.0.0.0 2.2.2.2

route ISP2 0.0.0.0 128.0.0.0 4.4.4.4

route ISP2 0.0.0.0 128.0.0.0 3.3.3.3

is this the way to route to more than one destination ip? and route ISP2 0.0.0.0 128.0.0.0 3.3.3.3, the 0.0.0.0 is a wild card but 128.0.0.0, what would that be? in others words route ISP2 0.0.0.0 128.0.0.0 3.3.3.3 waht its say?

thanks for your response.

Edgard

codewize Tue, 03/06/2012 - 05:11

So help me understand. Are you saying with the ASA5505 Base unlimited users you can't configure redundant / failover ISP's using route tracking?

It has to be Security Plus?

Actions

This Discussion