ASA 5510 with two ISPs

Unanswered Question
Feb 26th, 2011

Could someone point me in the right direction and maybe provide a config example of how to setup an ASA with two Internet connections? We want to have the ability to send certain traffic over one connection (example http) and everything else over another. Is there a way to do this, and if so, an example config would be greatly appreciated. Thanks.

Sent from Cisco Technical Support iPhone App

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Farrukh Haroon Sat, 02/26/2011 - 01:04

Hello Craig

I'm sorry to inform you that this cannot be done on the ASA (at least in any straight forward way).

The ASA software does not support Policy-based Routing which is required to complete your requirement. However you can always configure multiple ISPs in an active-passive fashion; as described at the following link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

As a work-around in some scenarios you can run the ASA box in multiple context mode to achive similar requirements but that is not recommended due to various reasons (complexity, some features like dynamic routing/VPNs not working in virtual fw mode etc.)

Regards

Farrukh

craig-mitchell Sat, 02/26/2011 - 05:00

Couldn't you use policy based NAT to NAT certain traffic out out a different interface?

Sent from Cisco Technical Support iPhone App

Farrukh Haroon Sat, 02/26/2011 - 07:58

You can use policy-based NAT (it can also be on the same output interface depending on the exact requirement); but there will be no link reliability in this case. What happens when one link fails?

Regards

Farrukh

parr Sat, 02/26/2011 - 13:24

Reading the original request, It doesn't sound like failover or redundancy are important criteria in the scenario presented.

craig-mitchell Sun, 02/27/2011 - 05:28

Yes, not concerned with failover/redundancy at this point. Can you tell me how I would configure the two static routes for each ISP? Thanks so much for your help.

Sent from Cisco Technical Support iPhone App

Farrukh Haroon Sun, 02/27/2011 - 05:38

Hello Craig

This is why i mentioned in my initial post that you won't be able to meet your requirement because PBR is not supported on the ASA: the problem is that one can only configure default routes pointing out one interface on the ASA firewall (and not more); as mentioned in the config guide:

" When defining more than one default route, you must specify the same interface for each entry."

Source: http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/route_static.html#wp1128007

And as you know a default route is essential to route internet traffic. If you have any proxy server or router in the transit path; you can fulfull your requirement using those devices.

Regards

Farrukh

craig-mitchell Sun, 02/27/2011 - 09:29

So what if I setup another default route with a higher metric and policy NATed the traffic I wanted out that new interface? Would that work? Thanks again!

Sent from Cisco Technical Support iPhone App

Farrukh Haroon Sun, 02/27/2011 - 11:26

I'm sorry to tell you that will also not work, please see the next paragraph on the same link:

"If you attempt to define more than three equal cost default routes or a  default route with a different interface than a previously defined  default route, you receive the following message:

"ERROR: Cannot add route entry, possible conflict with existing routes." 
"

Regards

Farrukh
craig-mitchell Sun, 02/27/2011 - 11:50

But it is allowed if I setup route tracking via icmp?

Sent from Cisco Technical Support iPhone App

craig-mitchell Tue, 03/01/2011 - 15:56

Stumbled upon this. Would this work?

https://supportforums.cisco.com/docs/DOC-6069

Sent from Cisco Technical Support iPhone App

Farrukh Haroon Sat, 03/05/2011 - 00:15

I'm sorry for the late reply; that solution is definitely worth a try; even tough the solution is a little crude

Regards

Farrukh

craig-mitchell Tue, 03/08/2011 - 09:01

When I made this change for port 80 traffic, I could see that it worked. However , it seemed to break internal web traffic between clients and an internal web server (both on the inside network not traversing the firewall). Could this be a proxy arp issue or an icmp redirect issue. The clients default gateway is a cisco router and this router's default gateway is the inside of the asa. The clients, internal web server, core router, and Asa inside interface are all on the same subnet.

Sent from Cisco Technical Support iPhone App

Farrukh Haroon Tue, 03/08/2011 - 10:42

Hello

I doubt this is a proxy ARP issue as it is only supposed to kick in if you are trying to reach an IP address on another subnet and the router replies with his own MAC; it should not occur for traffic on the same subnet. Of course this could be due to mis-configured subnet mask(s) on one or more devices in the concerned network.

This can be easily verified by inspecting the ARP table of both client and server (web); e.g. on windows 'arp -a' will show this.

Regards


Farrukh

Actions

Login or Register to take actions

This Discussion

Posted February 26, 2011 at 12:54 AM
Stats:
Replies:13 Avg. Rating:
Views:1159 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446