Add second DSL circuit to ASA 5505

Scott Payne · ‎07-09-2010

I think I know the answer to this but I want to run it by the forum.

I have an office that is on DSL with the highest speed available. The problem is that it is not fast enough. Currently, the one DSL has a site to site VPN tunnel to our HQ and works perfectly.

My question(s) is this:

Can I use another interface on the ASA 5505 (eth0/1 or int vlan3 for example) and configure it for another DSL circuit? I believe I could by assigning it the proper public ip, add another route outside statement for the second default gateway and of course, set up another tunnel-group (and match it on the HQ side as well). If I am on the right path, I would assume this would load balance the traffic?

Thanks,

STP

Nagaraja Thanthry · ‎07-09-2010

Hello,

You can certainly add a second DSL line and establish another tunnel to the remote network. However, I am not certain about the load-balancing part. If you run routing protocol over the VPN tunnel and ensure that the cost to the remote destination is equal through both paths, then the firewall can load-balance between the paths. However, if you are planning to configure static routes, I think that may not work.

Hope this helps.

Regards,

NT

Scott Payne · ‎07-09-2010

Thanks for the quick reply! I will dig deeper into the load balancing issue. If that doesn't work I may have to

"do some patchwork". By that I mean creating another inside interface with a separate private ip scheme and add a small switch so I can physically split the traffic.

Example

eth 0/1

nameif outside2 this would be second DSL line

public ip here

eth 0/2

nameif inside 2 this would attach to a small switch

private ip here

route outside whatever the second DG would be which would give me a second route

create more access-lists

add a second http line

and of course a second tunnel

do you think that would work?