Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2 Separate ISPs on Outside Interfaces ASA 5510

I have an ASA 5510 with 3 interfaces:  inside, outside_cable, dmz

The cable has been down or slow a lot recently. This isn't so bad for my internal users, but for those connecting to the office via VPN it's a bummer, so I brought a FIOS line in with 1 static IP. 

I would like to set a 4th interface (outside_fios) and use it ONLY for accepting VPN connections from AnyConnect.

I set the FIOS router (provided by Verizon) as a bridge and set the public IP address provided by Verizon on the 4th interface of my ASA.  I also set the AnyConnect profiles to use either the outside_cable OR the outside_fios interfaces. 

Needless to say, I'm missing something, which is why I'm posting, because when I try to connect using AnyConnect to the FIOS IP the connection fails.  I see nothing in the ASA log and the AnyConnect client simply sais that the connection attempt has timed out - please verify internet connectivity (which I definitely have).

I have read some articles about licensing -- base vs. security plus -- and how that may be why this isn't working, but I'm not sure if that is correct.  I have the base license, by the way.

Additionally - I have no routing set up for this interface because I'm not sure how to do it.  The only routing that's happening right now in the ASA is the default route -- routing everything out the outside_cable interface.

Any help would be GREATLY appreciated!

Everyone's tags (1)
2 REPLIES
Super Bronze

2 Separate ISPs on Outside Interfaces ASA 5510

Hi,

I personally always handle Dual ISP routing scenarios with a Cisco router rather than the ASA.

I am not sure how the ASA handles the secondary ISP in this situation. To my understanding usually when the connections are coming from the secondary ISP the ASA should handle the connections correctly but initiating the connections from behind the ASA to the secondary ISP is usually the problem.

You might want to start trying to first configure a default route for the secondary ISP also.

You currently probably have this

route outside_cable 0.0.0.0 0.0.0.0 x.x.x.x 1

You could add

route outside_fios 0.0.0.0 0.0.0.0 x.x.x.x 254

Notice the different metric at th end. Since the original one has the metric of "1", it will stay in use. I use the value "254" simply to have a completely different value to the "1" but it could be "2" for example.

Maybe you could add this route first and try again.

If that doesnt work, I might have to test this out myself just to learn something new. But as I said, I dont have to do this in my work as we handle Dual ISP on routers and never on ASAs themselves.

- Jouni

New Member

2 Separate ISPs on Outside Interfaces ASA 5510

Thanks!  I have added the 2nd default route, but it has not fixed the problem.

I also realized that I had no access rules set up for this interface, so I just added allowing ssh and https and ICMP.

I also checked to make sure the FIOS router was bridging properly by connecting my laptop to it and assigning my laptop to the public IP provided by Verizon.  That worked fine -- I was able to access the internet and ping my laptop successfully from a different network.

I am trying to ping the public IP address (which is the address of the interface on the ASA) and I'm getting request timed out.

I'm officially stuck! 

382
Views
0
Helpful
2
Replies
CreatePlease login to create content