cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1993
Views
8
Helpful
6
Replies

2 ISP lines on two separate interfaces in separate subnets currently.

Liam Kenneally
Level 1
Level 1

Hi All,

Wondering if an Security/SP expert could help me on the following...

My end user has the following topology:-

Capture.PNG

(Note for simplisity I have show a single FW, it is actually a pair in A/S.)

Scienario:-

There are 2 ISP lines on two separate interfaces in separate subnets currently.

I know how to configure a backup route for outbound traffic using IP SLA on the ASA, whereby ISP A is the default and should the chosen tracked IP fail then the backup ISP B will be used for outbound routing.

There will be no load balancing as you need a router for that.

My question is regarding inbound traffic:-

Traffic coming in on ISP A, will also be the default route, so the return traffic will go back out towards ISP A on the same ASA interface… agreed?

Traffic coming in on ISP B though, does the firewall maintain the state table to account for outbound interfaces and will the traffic go back out towards ISP B, or will the default route be used and therefore the traffic fail because

its attempting to go back out the ISP A interface?

Hope this makes sense.

Additionally I was wondering if there is any official Cisco documentation to provide my end user for the above.

Kind Regards,

Liam

1 Accepted Solution

Accepted Solutions

Hi,

To my understanding the situation is the following

  • Any inbound connection to your network from either ISP will have its return traffic flowing through the ISP interface where it came from
  • Any outbound connection from your network will flow through the ISP holding the active default route on the ASA firewall UNLESS there is a destination NAT that overrides the routing table

Since this has been asked in 2 threads today and one yesterday already (and I havent used this setup myself) I think I will just lab this at home later today (currently 12.30 here in Finland so I am still at work)

So will post later about the test.

- Jouni

View solution in original post

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

There is a section related to this in the ASA Configuration Guide that might shed some light and provide an official source for the information also.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_overview.html#wp1095679

To my understanding with a very basic 2 ISP setup that doesnt use the mentioned IP SLA configuration any connections coming towards your NATed IP addresses on either ISP should have their return traffic forwarded back according to the already formed connection through the firewall.

I might be able to do some tests if I have the time later today. There has been a couple of similiar questions here on CSC this week. The problem for me is that I never use the ASA to terminate 2 ISP link  but rather Cisco Routers.

With the newer software levels you should have the option to force this behaviour through NAT configurations if what I mention above wasnt true.

- Jouni

So after reading the document you provided(Many thanks)

Along with a bit of googling of ASA packet flow(Diagram below)

Traffic from outside(ISPB) will hit the XLATE criteria on the above flow diagram and return traffic(from inside to ouside) will be forwarded out ISPA interface correct?

Stretching my knowlegde of security here, so bare with me

Regards,

Liam

Trafic will leave ISPB interface* Sorry not A

Regards,

Liam

Hi,

To my understanding the situation is the following

  • Any inbound connection to your network from either ISP will have its return traffic flowing through the ISP interface where it came from
  • Any outbound connection from your network will flow through the ISP holding the active default route on the ASA firewall UNLESS there is a destination NAT that overrides the routing table

Since this has been asked in 2 threads today and one yesterday already (and I havent used this setup myself) I think I will just lab this at home later today (currently 12.30 here in Finland so I am still at work)

So will post later about the test.

- Jouni

Hi Jouni,

The above was my understanding too ...

The end user has the above diagram solution with a fortigate solution(Migrating to Cisco) they want to ensure no loss of service when migrating over.(I think to be honest the process has just been overthought, hence complicating the solution) *but better be safe then sorry*

If you could let me know how your lab of the above goes it will be much appreciated.

Again thanks for your swift reply's.

Kind Regards,

Liam

To sum it up: Yes it works! I'm using that on different customer networks with two ISPs.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: