06-19-2010 12:13 AM - edited 03-11-2019 11:01 AM
Hi guys,
I'm not very familiar with the ASA 5505; on a base license, would the following configuration work? Can it act as an edge device for two ISP networks?
interface Ethernet0/0
nameif ISP1
security-level 0
ip address 1.1.1.1 255.255.255.252
!
interface Ethernet0/1
nameif ISP2
security-level 0
ip address 2.2.2.1 255.255.255.252
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
Thanks in advance
- Joe
Solved! Go to Solution.
06-19-2010 01:07 AM
Unfortunately you would need Security Plus license on ASA 5505 for backup ISP connection.
06-21-2010 03:27 AM
I just double checked that all Security Base license appliance supports dual ISPs, including ASA 5505
With ASA 5505 Base license, you need to be aware of it can only have 2 unrestricted zones, which normally would consist of 1 inside and 1 outside zone. Plus 1 restricted zone, ie: that zone can't access one other zone, but that other zone can access it.
Example:
Inside and outside would be the unrestricted zone.
Backup outside would be the restricted zone. I believe you can configure the outside interface as the restricted zone, while the other 2 interfaces are unrestricted. So on the backup outside interface, you would configure "no forward interface vlan
Here is the URL for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/int5505.html#wp1051819
06-19-2010 01:07 AM
Unfortunately you would need Security Plus license on ASA 5505 for backup ISP connection.
06-20-2010 10:49 PM
Thanks Halijenn!
Just curious, I have a collegue who tried to implement dual-ISP on the 5505 with a Base license. He said that the IOS prevented him from configuring more than one outside NAT interface. Is this how the base license enforces the single-ISP restriction?
06-21-2010 03:27 AM
I just double checked that all Security Base license appliance supports dual ISPs, including ASA 5505
With ASA 5505 Base license, you need to be aware of it can only have 2 unrestricted zones, which normally would consist of 1 inside and 1 outside zone. Plus 1 restricted zone, ie: that zone can't access one other zone, but that other zone can access it.
Example:
Inside and outside would be the unrestricted zone.
Backup outside would be the restricted zone. I believe you can configure the outside interface as the restricted zone, while the other 2 interfaces are unrestricted. So on the backup outside interface, you would configure "no forward interface vlan
Here is the URL for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/int5505.html#wp1051819
06-21-2010 06:23 PM
Thanks again. This is of great help to me
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide