Load balancing of general internet in ASA 5520?

Unanswered Question
Jul 22nd, 2010

Hi,

I got one ASA 5520. We have 2 ISP's and each of them terminate in this ASA. Is it possible to do load balancing of general internet traffic in ASA 5520 so that some traffic go via ISP1 and remaining go via ISP2?  I am not really concerned about the VPN traffic at the moment.

- Ribin

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mohamed Sobair Thu, 07/22/2010 - 03:46

Hi,

Yes, for general traffic , you could have both ASAs deployed on Active/Active failover with multiple context Mode.

Additional Note: You could also have Remote Access VPN load balancing on ASA.

For Active/Active failover in multiple context mode, please refer to the bellow:


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml

For VPN Load Balancing, refer to the bellow link:


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805fda25.shtml

HTH

Mohamed

ribin.jones Thu, 07/22/2010 - 03:55

Thanks for the response Mohammed...In your reply you have mentioned "you could have both ASAs". I got only one ASA and I am a newbie in ASA.

- Ribin

Mohamed Sobair Thu, 07/22/2010 - 04:20

Apologize Ribin,

I though you have 2 ASA and you would like to loadbalance between them.

OK, if you have one ASA and two links terminated on it, I am afraid you cant have loadbalnce across 2 different ISPs, however, You could have one option of (backup Tracking) of the second link.

So , you will have one link as a primary and a secondary link as backup with tracking.

please refer to the bellow link for more info:

https://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

HTH

Mohamed

ribin.jones Thu, 07/22/2010 - 05:00

Thanks for the info. Is there any additional module or something available which could be integrated to my ASA5520 so that I can route traffic via both my ISP's at the same time?

- Ribin

Mohamed Sobair Thu, 07/22/2010 - 05:04

Ribin,

There is no need for additional Module, its actually not possible with ASA/Pix. you cant have 2 outgoing interfaces forwarding traffic at the same time.

HTH

Mohamed

ribin.jones Thu, 07/22/2010 - 05:19

So, I can't have two default routes (one each to both of my ISP's) in my ASA?

- Ribin

Nagaraja Thanthry Thu, 07/22/2010 - 05:56

Hello,

You can have two default routes one pointing to one ISP and the other pointing to other ISP. But both cannot have same metric. One of them need to be of slightly higher metric. Having said that, while traditionally the firewall does not support load balancing, there is a workaround through which, as an administrator, you can do some sort of loadbalancing. Here are couple of  scenarios:

You have two inside interfaces (Inside1 and Inside2) and you want ALL users in Inside1 to use ISP1 and ALL users in Inside2 use ISP2. This scenario can be implemented in ASA and ASA will send the traffic accordingly. Here is a sample configuration for this scenario:

static (ISP2,inside2) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

route ISP1 0.0.0.0 0.0.0.0

route ISP2 0.0.0.0 0.0.0.0 254

global (ISP2) 10 interface (or any other IP)

nat (Inside2) 10 0.0.0.0 0.0.0.0

global (ISP1) 1 interface (or any other IP)

nat (inside1) 1 0.0.0.0 0.0.0.0

In this example, all traffic from Inside2 subnet will be forwarded to ISP2 and all traffic from Inside1 will go normally to ISP1.


In another scenario, let's say you just have one inside subnet and you want to send all HTTP/HTTPS/SMTP traffic through ISP2 and everything else via ISP1.

static (ISP2,inside) tcp 0.0.0.0 WWW 0.0.0.0 WWW netmask 0.0.0.0

static (ISP2,inside) tcp 0.0.0.0 HTTPS 0.0.0.0 HTTPS netmask 0.0.0.0

static (ISP2,inside) tcp 0.0.0.0 SMTP 0.0.0.0 SMTP netmask 0.0.0.0

route ISP1 0.0.0.0 0.0.0.0

route ISP2 0.0.0.0 0.0.0.0 254

global (ISP2) 10 interface (or any other IP)

nat (Inside2) 10 0.0.0.0 0.0.0.0

global (ISP1) 1 interface (or any other IP)

nat (inside1) 1 0.0.0.0 0.0.0.0

Last, but not the least, you can always have traffic destined to specific subnets or hosts go via ISP2. This will be helpful if you have site-to-site VPNs where all your VPN traffic could go via ISP2 and all your regular internet traffic can go via ISP1.

route ISP2 x.x.x.0 255.255.255.0

Hope this helps.

Regards,

NT

Nagaraja Thanthry Thu, 07/22/2010 - 06:16

Hello Ribin,

Not a problem. I forgot to include one more option. If you have a layer 3

device (router/L3 switch) on your inside network, you can also use multiple

contexts and do the load balancing on the L3 device using PBR.

Hope this helps.

Regards,

NT

Note: Please rate helpful posts.

ribin.jones Thu, 07/22/2010 - 06:25

Hey NT,

The first option you mentioned "You can have two default routes one pointing to one ISP and the other pointing to other ISP. But both cannot have same metric. One of them need to be of slightly higher metric." is destination based static routing, right?

- Ribin

ribin.jones Thu, 07/22/2010 - 06:27

Yes, i do have a L3 switch in my inside network. How can i do policy based routing in

L3 for loadbalancing of traffic to ISP's?

- Ribin

Nagaraja Thanthry Thu, 07/22/2010 - 06:42

Hello Ribin,

If you have an L3 switch which can perform load balancing, then you can

configure multiple contexts on the firewall. Each context will act like a

separate firewall. For each context you can allocate interfaces and

different IP addresses. Here is a link that explains steps involved in

creating multiple contexts:

http://cisco.biz/en/US/products/hw/vpndevc/ps2030/products_configuration...

mple09186a00808d2b63.shtml

In your case, you need to share the inside interface between both contexts

and under each context you can give separate IP addresses. When allocating

resources, you need to make sure that one ISP interface is allocated to one

context (ISP1 to ContextA and ISP2 to contextB).

Now, you need to configure the L3 device to do policy based routing along

with route tracking. All your workstations need to have the IP of the L3

device as their default gateway. On the L3 device you create a route-map and

based on your requirements, you can set the next hop for those specific

traffic types to either ContextA IP or ContextB IP.

Example:

Access-list 101 permit tcp any any eq 80

Route-map test permit 10

Match ip address 101

Set ip next-hop

So, here by default all traffic will go to ContextA and only specific

traffic will go to ContextB.

Hope this helps.

Regards,

NT

Nagaraja Thanthry Thu, 07/22/2010 - 06:30

Hello Ribin,

The last option is destination based static routing. The first two options

are just a workaround that exploits Destination based NAT translation

implementation on the firewall.

Regards,

NT

Actions

This Discussion