Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
691
Views
8
Helpful
3
Replies

ASA with 2 ISPs

jackleung
Level 1
Level 1

‎06-07-2007 11:05 AM - edited ‎03-11-2019 03:26 AM

I'm thinking about firewalling off 2 WAN links from 2 ISPs with just one ASA. I'm going to setup second and third interfaces facing the WAN and treat them as if they were individual and just add routing to forward traffic as needed. I know of a setup where you can have redundancy with a fallback ISP but these 2 WAN links are going to be live at the same time. Is there anything I should be aware of, or is there a white paper that has a sample config I can look at?

Thanks.

Labels:
0 Helpful
3 Replies 3

anandramapathy
Level 3
Level 3

‎06-08-2007 04:30 AM

The ASA supports only 1 Route outside.

If you terminate both links on the ASA

Policy Route is not possible on ASA

Then you have to manually change the outside routes the alternate ISP if your main ISP goes down. 2 DMZ option also will not be possible.

Best option is to terminate both the Links on the Internet Router & do a policy Route on the Interet router.

0 Helpful

jackleung
Level 1
Level 1
In response to anandramapathy

‎06-08-2007 04:35 AM

That's fine. But say for example I have 2 networks outside, A, and B. I can't set a route on the firewall to direct all traffic destined for network A to go to router A and traffic to network B to go to router B (leaving a default route to go to either one of those routers)?

0 Helpful

cpembleton
Level 4
Level 4
In response to jackleung

‎06-08-2007 04:46 AM

The ASA is not really designed to do that. Load balancing is not possible with 2 external links. You could do route tracking to failover to second ISP if primary failed.

You could also create 2 routes. Once for half the Internet and 1 for the other half. However, if you where hosting any services (web or mail) if the connection came on 1 ISP but the route on ASA sent it out the other interface the session would not established.

You could setup 1 interface as the default route on the ASA. Setup 1 or 2 routers on the edge of ISP as your gateway (2 w/ HSRP). Load balancing would be at the router level. But because you have 2 separate ISP's and 2 different subnets it becomes more of a challenge. Unless you could get them to advertise each others subnets (not likely) and use BGP to update the ISP. Other wise you would have to configure any NAT you need on the routers not the ASA.

Hope this helps!

Chad

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card