ASA/PIX 7.x to Support Dual ISP Links

p.mckay · ‎08-31-2006

1.I was wondering if any one has run this in a production environment yet and what if any issues have you had.

2.What models did you run this on the example config indicates this will function on 500 through 5500 series devices. So will this work on a 501 as well as the ASA5510

3.The example configuration shows three interfaces are these physical interfaces. If they are then how do get three interfaces on a 501?

interface Ethernet0

nameif outside

security-level 0

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet1

nameif backup

security-level 0

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet2

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

grant.maynard · ‎08-31-2006

I have not tried it. It is a feature of v7.2.

You cannot run v7+ on a PIX501 or a PIX506. Theres can only have two physical interfaces: larger PIXs and ASAs have more or you can add cards. However the PIX506 does also support 2 VLANs, so it could logically have three interfaces.

The config above is for physical interfaces in v7. If they were VLAN interfaces they would be shown as sub-interfaces with the VLAN also showing in the config.

a.kiprawih · ‎08-31-2006

ASA/PIX 7.x can support dual ISP links (known as Static Route Tracking) on bigger box, not on Pix 501/506 (cannot run 7.x).

It's much better to use dedicated physical interface on PIX/ASA for each ISP link (if you have 2 routers). But you can use sub-interfaces if you have switch between PIX/ASA and routers. Connect the PIX/ASA to the switch (as trunk) and connect your routers ( FastEthernet ports) hosting link to ISPs to a port assigned to each dedicated Vlans associated to the sub-interfaces.

PIX/ASA setup example for dual ISP with 2 routers:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Rgds,

AK

p.mckay · ‎08-31-2006

How would this work with a failover pair Active/Stanby pair of ASA5510 or does it only function with a single piece of hardware.

a.kiprawih · ‎08-31-2006

If you have Active/Standby (A/S) pair, then you can use:

1. Dedicated switch/hub, if you use dedicated interface for your PIX/ASA. Connect same interface from both of your A/S-PIX/ASA (for the 1st ISP) to the hub, i.e Ethernet0 on Active & Ethernet0 on Standby to the hub. Then connect your router FastEth to the same hub. Router will see your PIX/ASA pair as single device.

Do the same with the second ISP link.

2. If you use switch, do the same thing, but you have to have 2 vlans to host eash ISP link to the PIX/ASA. Assign ports connected to PIX/ASA active & standby unit, together with the router FastEth under each Vlans meant for the each ISP.

But even though you have 2 x ISP links and Active/Standby PIX/ASA, the switch can be a single point of failure. Better to use dedicated switch/hub (hub is more cheaper).

Rgds,

AK

p.mckay · ‎08-31-2006

Thanks, I really would like to hear from someone who has this running in a production enviroment as I have committed to purchasing two ASA5510 for a remote site. Cuurently do the above as mentioned but with a pair of older 515e using 2 routers and our own BGP AS. New remote site will not have that luxury and being able to use two providers directly will be a great resolution.

p.mckay · ‎08-31-2006

Thanks, I really would like to hear from someone who has this running in a production enviroment as I have committed to purchasing two ASA5510 for a remote site. Cuurently do the above as mentioned but with a pair of older 515e using 2 routers and our own BGP AS. New remote site will not have that luxury and being able to use two providers directly will be a great resolution.

JOSH GANT · ‎09-18-2006

"...being able to use two providers directly will be a great resolution."

You realize that you will only be able to use one provider for the default route correct? That means essentialy that you will only have one of the connections active at a time.

The BGP solution allows you to use both of the internet connections at once (more available bandwidth).