07-22-2010 03:30 AM - edited 03-04-2019 09:09 AM
Hi,
I got one ASA 5520. We have 2 ISP's and each of them terminate in this ASA. Is it possible to do load balancing of general internet traffic in ASA 5520 so that some traffic go via ISP1 and remaining go via ISP2? I am not really concerned about the VPN traffic at the moment.
- Ribin
07-22-2010 03:46 AM
Hi,
Yes, for general traffic , you could have both ASAs deployed on Active/Active failover with multiple context Mode.
Additional Note: You could also have Remote Access VPN load balancing on ASA.
For Active/Active failover in multiple context mode, please refer to the bellow:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
For VPN Load Balancing, refer to the bellow link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805fda25.shtml
HTH
Mohamed
07-22-2010 03:55 AM
Thanks for the response Mohammed...In your reply you have mentioned "you could have both ASAs". I got only one ASA and I am a newbie in ASA.
- Ribin
07-22-2010 04:20 AM
Apologize Ribin,
I though you have 2 ASA and you would like to loadbalance between them.
OK, if you have one ASA and two links terminated on it, I am afraid you cant have loadbalnce across 2 different ISPs, however, You could have one option of (backup Tracking) of the second link.
So , you will have one link as a primary and a secondary link as backup with tracking.
please refer to the bellow link for more info:
HTH
Mohamed
07-22-2010 05:00 AM
Thanks for the info. Is there any additional module or something available which could be integrated to my ASA5520 so that I can route traffic via both my ISP's at the same time?
- Ribin
07-22-2010 05:04 AM
Ribin,
There is no need for additional Module, its actually not possible with ASA/Pix. you cant have 2 outgoing interfaces forwarding traffic at the same time.
HTH
Mohamed
07-22-2010 05:19 AM
So, I can't have two default routes (one each to both of my ISP's) in my ASA?
- Ribin
07-22-2010 05:56 AM
Hello,
You can have two default routes one pointing to one ISP and the other pointing to other ISP. But both cannot have same metric. One of them need to be of slightly higher metric. Having said that, while traditionally the firewall does not support load balancing, there is a workaround through which, as an administrator, you can do some sort of loadbalancing. Here are couple of scenarios:
You have two inside interfaces (Inside1 and Inside2) and you want ALL users in Inside1 to use ISP1 and ALL users in Inside2 use ISP2. This scenario can be implemented in ASA and ASA will send the traffic accordingly. Here is a sample configuration for this scenario:
static (ISP2,inside2) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
route ISP1 0.0.0.0 0.0.0.0
route ISP2 0.0.0.0 0.0.0.0
global (ISP2) 10 interface (or any other IP)
nat (Inside2) 10 0.0.0.0 0.0.0.0
global (ISP1) 1 interface (or any other IP)
nat (inside1) 1 0.0.0.0 0.0.0.0
In this example, all traffic from Inside2 subnet will be forwarded to ISP2 and all traffic from Inside1 will go normally to ISP1.
In another scenario, let's say you just have one inside subnet and you want to send all HTTP/HTTPS/SMTP traffic through ISP2 and everything else via ISP1.
static (ISP2,inside) tcp 0.0.0.0 WWW 0.0.0.0 WWW netmask 0.0.0.0
static (ISP2,inside) tcp 0.0.0.0 HTTPS 0.0.0.0 HTTPS netmask 0.0.0.0
static (ISP2,inside) tcp 0.0.0.0 SMTP 0.0.0.0 SMTP netmask 0.0.0.0
route ISP1 0.0.0.0 0.0.0.0
route ISP2 0.0.0.0 0.0.0.0
global (ISP2) 10 interface (or any other IP)
nat (Inside2) 10 0.0.0.0 0.0.0.0
global (ISP1) 1 interface (or any other IP)
nat (inside1) 1 0.0.0.0 0.0.0.0
Last, but not the least, you can always have traffic destined to specific subnets or hosts go via ISP2. This will be helpful if you have site-to-site VPNs where all your VPN traffic could go via ISP2 and all your regular internet traffic can go via ISP1.
route ISP2 x.x.x.0 255.255.255.0
Hope this helps.
Regards,
NT
07-22-2010 05:34 AM
Yes.
HTH
Mohamed
07-22-2010 06:04 AM
Great...I got some options now.
Thanks NT and Mohammed.
- Ribin
07-22-2010 06:16 AM
Hello Ribin,
Not a problem. I forgot to include one more option. If you have a layer 3
device (router/L3 switch) on your inside network, you can also use multiple
contexts and do the load balancing on the L3 device using PBR.
Hope this helps.
Regards,
NT
Note: Please rate helpful posts.
07-22-2010 06:25 AM
Hey NT,
The first option you mentioned "You can have two default routes one pointing to one ISP and the other pointing to other ISP. But both cannot have same metric. One of them need to be of slightly higher metric." is destination based static routing, right?
- Ribin
07-22-2010 06:27 AM
Yes, i do have a L3 switch in my inside network. How can i do policy based routing in
L3 for loadbalancing of traffic to ISP's?
- Ribin
07-22-2010 06:42 AM
Hello Ribin,
If you have an L3 switch which can perform load balancing, then you can
configure multiple contexts on the firewall. Each context will act like a
separate firewall. For each context you can allocate interfaces and
different IP addresses. Here is a link that explains steps involved in
creating multiple contexts:
http://cisco.biz/en/US/products/hw/vpndevc/ps2030/products_configuration_exa
mple09186a00808d2b63.shtml
In your case, you need to share the inside interface between both contexts
and under each context you can give separate IP addresses. When allocating
resources, you need to make sure that one ISP interface is allocated to one
context (ISP1 to ContextA and ISP2 to contextB).
Now, you need to configure the L3 device to do policy based routing along
with route tracking. All your workstations need to have the IP of the L3
device as their default gateway. On the L3 device you create a route-map and
based on your requirements, you can set the next hop for those specific
traffic types to either ContextA IP or ContextB IP.
Example:
Access-list 101 permit tcp any any eq 80
Route-map test permit 10
Match ip address 101
Set ip next-hop
So, here by default all traffic will go to ContextA and only specific
traffic will go to ContextB.
Hope this helps.
Regards,
NT
07-22-2010 06:30 AM
Hello Ribin,
The last option is destination based static routing. The first two options
are just a workaround that exploits Destination based NAT translation
implementation on the firewall.
Regards,
NT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: