One of our clients has redundant ASA 5505's with a few switches. The ASA 5505s have a basic setup, outside ports, inside ports, dmz each on a different vlan, and failover is configured and working properly for both. The customer wants to bring a secondary ISP in for added redundancy. Based on the fact that failover uses the redundancy of the same network for the ASAs to talk on, what would be the best approach here.
Can I create 2 outside interfaces each with the different ISPs and if one ISP fails, the other one can pick up using like a type of SLA. Also, can I load balance traffic out the two or even choose which traffic may go out each line. For instance all internet traffic out one ISP and all VPN traffic out the other ISP.
Any thoughts would be greatly appreciated, and thanks so much in advance.
You can have dual ISP but must have the same configuration on both ASAs, meaning you cannot have one ISP on primary and the other on the secondary.
Because SLA Monitor and Failover are both for redundancy, the best practice is NOT to monitor the outside interface, since it will be tracked by the SLA(if outside fails then the backup takes over, if another interface fails then the entire ASA fails over).
The ASA does not support PBR (routing based on source), therefore you can only have one default route active at the time.
However for L2L VPN, you can configure static routes using the back link (for the peer IP and remote network).
Thanks for the prompt response, and great details. What would be the best route to go about this. Primarily redundancy is the big factor. If one ISP fails we want the other one to take over. With the Two ASA 5505's which is the best way to handle this in your opinion?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...