06-19-2010 12:13 AM - edited 03-11-2019 11:01 AM
Hi guys,
I'm not very familiar with the ASA 5505; on a base license, would the following configuration work? Can it act as an edge device for two ISP networks?
interface Ethernet0/0
nameif ISP1
security-level 0
ip address 1.1.1.1 255.255.255.252
!
interface Ethernet0/1
nameif ISP2
security-level 0
ip address 2.2.2.1 255.255.255.252
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
Thanks in advance
- Joe
Solved! Go to Solution.
06-19-2010 01:07 AM
Unfortunately you would need Security Plus license on ASA 5505 for backup ISP connection.
06-21-2010 03:27 AM
I just double checked that all Security Base license appliance supports dual ISPs, including ASA 5505
With ASA 5505 Base license, you need to be aware of it can only have 2 unrestricted zones, which normally would consist of 1 inside and 1 outside zone. Plus 1 restricted zone, ie: that zone can't access one other zone, but that other zone can access it.
Example:
Inside and outside would be the unrestricted zone.
Backup outside would be the restricted zone. I believe you can configure the outside interface as the restricted zone, while the other 2 interfaces are unrestricted. So on the backup outside interface, you would configure "no forward interface vlan
Here is the URL for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/int5505.html#wp1051819
06-19-2010 01:07 AM
Unfortunately you would need Security Plus license on ASA 5505 for backup ISP connection.
06-20-2010 10:49 PM
Thanks Halijenn!
Just curious, I have a collegue who tried to implement dual-ISP on the 5505 with a Base license. He said that the IOS prevented him from configuring more than one outside NAT interface. Is this how the base license enforces the single-ISP restriction?
06-21-2010 03:27 AM
I just double checked that all Security Base license appliance supports dual ISPs, including ASA 5505
With ASA 5505 Base license, you need to be aware of it can only have 2 unrestricted zones, which normally would consist of 1 inside and 1 outside zone. Plus 1 restricted zone, ie: that zone can't access one other zone, but that other zone can access it.
Example:
Inside and outside would be the unrestricted zone.
Backup outside would be the restricted zone. I believe you can configure the outside interface as the restricted zone, while the other 2 interfaces are unrestricted. So on the backup outside interface, you would configure "no forward interface vlan
Here is the URL for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/int5505.html#wp1051819
06-21-2010 06:23 PM
Thanks again. This is of great help to me
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: