×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5540 with 2 ISP's

Unanswered Question
May 17th, 2006
User Badges:

Can I connect 2 different ISP's to my ASA by creating 2 different "outside" interfaces?

If possible I would like to dedicate my existing T1 for email and use my new connection for browsing.

Also I have my existing T1 connected to a Cisco 2500 and regarding the new connection, they promise a RJ45 connection directly to the ASA for their Internet connection in our building.

Does anyone know if this is possible?


Thank you.

-Dominick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
a.kiprawih Wed, 05/17/2006 - 13:03
User Badges:
  • Gold, 750 points or more

Hi Dominic,


To achieve this, the ASA Outside (e0) interface need to be connected to a switch with dot1Q encap.


Create 2 sub-interfaces (need IPs from each T1's ISP) under Outside interface to host connection from 2 different links.


Next, you need a switch (put before ASA) to host 2 VLANs that will be used to connect those T1 links. Example - Vlan 10 & Vlan 20. Set the switchport connected to ASA Outside interface as trunk with dot1Q encap, and allow those 2 vlans to pass through.


For the existing T1, connect the RJ45 to the switch, and make sure the switch port belongs to one of those VLANs, example VLAN10.


For your new T1 link, connect the RJ45 to the switchport belongs to VLAN20.



Guide to create sub-interfaces:


http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_guide_chapter09186a008054d463.html#wp1044006




Rgds,

AK


haithamnofal Thu, 05/18/2006 - 14:07
User Badges:

Hi AK,


Is there really a need to create sub-interfaces on the ASA? How about connecting the ASA to a L3 switch as the next hop and to let the switch take care of routing the traffic according to a configured policy-based routing?


Regards,

Haitham

a.kiprawih Thu, 05/18/2006 - 20:27
User Badges:
  • Gold, 750 points or more

Hi Haitham,


Yes, I think you could use PBR. I have not use/try this method before (in this specific scenario), but it will be interesting to test/simulate it in the lab.


As you know, PBR allows you to:

- Classify traffic based on extended access list criteria. Access lists, then establish the match criteria.

- Route packets to specific traffic-engineered paths.


Policies can be based on IP address, port numbers, or protocols.


PBR config guide for L3 Switch:

http://www.cisco.com/en/US/partner/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801cddc5.html


PBR config guide for router:

http://www.cisco.com/en/US/partner/products/ps6350/products_configuration_guide_chapter09186a00800c75d2.html


PBR Scenario Example:

http://www.cisco.com/en/US/customer/tech/tk365/technologies_tech_note09186a008009481d.shtml


But the presense of Firewall will enforce better security, compared to logical VLAN separation between ISPs in a L3 device.


Pls give it a try, and hopefully it works. Good luck!


Rgds,

AK


Actions

This Discussion