Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5992
Views
0
Helpful
4
Replies

Two outside interfaces on an ASA 5505

Go to solution
changjoe
Level 1
Level 1

‎06-19-2010 12:13 AM - edited ‎03-11-2019 11:01 AM

Hi guys,

I'm not very familiar with the ASA 5505; on a base license, would the following configuration work? Can it act as an edge device for two ISP networks?

interface Ethernet0/0

nameif ISP1

security-level 0

ip address 1.1.1.1 255.255.255.252

!

interface Ethernet0/1

nameif ISP2

security-level 0

  ip address 2.2.2.1 255.255.255.252

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

Thanks in advance


- Joe

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-19-2010 01:07 AM

Unfortunately you would need Security Plus license on ASA 5505 for backup ISP connection.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to changjoe

‎06-21-2010 03:27 AM

I just double checked that all Security Base license appliance supports dual ISPs, including ASA 5505

With ASA 5505 Base license, you need to be aware of it can only have 2 unrestricted zones, which normally would consist of 1 inside and 1 outside zone. Plus 1 restricted zone, ie: that zone can't access one other zone, but that other zone can access it.

Example:

Inside and outside would be the unrestricted zone.

Backup outside would be the restricted zone. I believe you can configure the outside interface as the restricted zone, while the other 2 interfaces are unrestricted. So on the backup outside interface, you would configure "no forward interface vlan "

Here is the URL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/int5505.html#wp1051819

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-19-2010 01:07 AM

Unfortunately you would need Security Plus license on ASA 5505 for backup ISP connection.

0 Helpful

Go to solution
changjoe
Level 1
Level 1
In response to Jennifer Halim

‎06-20-2010 10:49 PM

Thanks Halijenn!

Just curious, I have a collegue who tried to implement dual-ISP on the 5505 with a Base license. He said that the IOS prevented him from configuring more than one outside NAT interface. Is this how the base license enforces the single-ISP restriction?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to changjoe

‎06-21-2010 03:27 AM

I just double checked that all Security Base license appliance supports dual ISPs, including ASA 5505

With ASA 5505 Base license, you need to be aware of it can only have 2 unrestricted zones, which normally would consist of 1 inside and 1 outside zone. Plus 1 restricted zone, ie: that zone can't access one other zone, but that other zone can access it.

Example:

Inside and outside would be the unrestricted zone.

Backup outside would be the restricted zone. I believe you can configure the outside interface as the restricted zone, while the other 2 interfaces are unrestricted. So on the backup outside interface, you would configure "no forward interface vlan "

Here is the URL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/int5505.html#wp1051819

0 Helpful

Go to solution
changjoe
Level 1
Level 1

‎06-21-2010 06:23 PM

Thanks again. This is of great help to me

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card