×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

loadbalancing with Dual ISP

Unanswered Question
Jul 8th, 2013
User Badges:

Hi,

Iam using ASA5510 and I want to configure my ASA to work with 2 ISP ( one with HTTP/HTTPS traffic - the second for all rest of traffic )
I know this is not a supported configuration but there is some workaround like i read on this post :

https://supportforums.cisco.com/docs/DOC-15622


I try the solution 2 : route traffic bases on destination ports with 2 default routes ( with metric 1 and 2) but it doesn't work!
I try to simulate this situation with packet tracert tool and when I send an http packet on the second WAN, the packet is still send on the 1st WAN link.


Is there someone who already success with this configuration ?


Thank you

I join my network schema to this post.

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Mon, 07/08/2013 - 09:23
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Did you also use the NAT configurations in the document? They are the configurations that will actully redirect the HTTP and HTTPS traffic through the other ISP while naturally the secondary default route will also be required.


If you have ASA running 8.3 or newer software then it would be easier. Mainly because of the new NAT configuration format.


I have not tested this on 8.2 or older software.


- Jouni

avburren1 Tue, 07/09/2013 - 02:20
User Badges:

Yes I try all the solutions with NAT and default routes in the document and I have ASA running on 8.2.

Jouni Forss Tue, 07/09/2013 - 02:31
User Badges:
  • Super Bronze, 10000 points or more

Hi,


What does a "packet-tracer" commands output say when you try simulating a HTTP connection from LAN to WAN?


For example something like


packet-tracer input inside tcp 12345 1.1.1.1 80


If the NAT is configured correctly then you should see a UN-NAT Phase which should forward the connection through the correct ISP link.


- Jouni

avburren1 Thu, 07/11/2013 - 05:58
User Badges:

Here is the result of the command " packet-tracer input inside tcp 12345 1.1.1.1 80

We can see that the packet is forward through ISP1 and not ISP2 as I want.



Result of the command: "packet-tracer input LAN tcp 192.168.1.3 12345 2.2.2.2 80"


Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow


Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         WAN


Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW



Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:


Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (LAN,WAN2) tcp interface www 192.168.1.3 www netmask 255.255.255.255

match tcp LAN host 192.168.1.3 eq 80 WAN2 any

   static translation to 200.1.1.69/80

   translate_hits = 0, untranslate_hits = 0

Additional Information:


Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN) 1 192.168.1.0 255.255.255.0

match ip LAN 192.168.1.0 255.255.255.0 WAN any

   dynamic translation to pool 1 (WAN [Interface PAT])

   translate_hits = 5, untranslate_hits = 0

Additional Information:

Dynamic translate 192.168.1.3/12345 to WAN/1025 using netmask 255.255.255.255


Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:


Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 43, packet dispatched to next module


Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN

output-status: up

output-line-status: up

Action: allow

Actions

This Discussion