Thanks for the reply,

yes we want to utilise both link simultaneously, but here trffic seperation would be on VLAN base.

i think it has to work. Just required guide line.

Anil

Hi,

The problem with this kind of setup if you are going to do it with a single ASA that is NOT virtualized is the fact that Cisco doesnt officially support this.

So I doubt you will be able to find a guide for this from Cisco.

However to give you an example what I have tested briefly for users here on Cisco Support Community

Lets say we have this situation

• ASA running atleast 8.4(x) software level
• 2 ISP connections
• 2 LAN networks and 2 DMZ
• Each LAN/DMZ pair would use different ISP link
• Each LAN/DMZ pair should be able to access eachother

Lets then presume the following base information for the ASA

• Interface names: ISP-1, ISP-2, LAN1, LAN2, DMZ1 and DMZ2
• Networks: 
  • ISP1 - 1.1.1.0/29
  • ISP2 - 2.2.2.0/29
  • LAN1 - 10.10.10.0/24
  • LAN2 - 10.10.20.0/24
  • DMZ1 - 192.168.10.0/24
  • DMZ2 - 192.168.20.0/24

Then the very basic configurations (not all) should look something like this

INTERFACE CONFIGURATIONS

• Only examples, you could for example be using Trunk interface with or without Etherchannel

interface GigabitEthernet0/0

description ISP-1

nameif ISP-1

security-level 0

ip address 1.1.1.2 255.255.255.248

interface GigabitEthernet0/1

description ISP-2

nameif ISP-2

security-level 0

ip address 2.2.2.2 255.255.255.248

interface GigabitEthernet0/2

description LAN1

nameif LAN1

security-level 100

ip address 10.10.10.1 255.255.255.0

interface GigabitEthernet0/3

description LAN2

nameif LAN2

security-level 100

ip address 10.10.20.1 255.255.255.0

interface GigabitEthernet0/4

description DMZ1

nameif DMZ1

security-level 50

ip address 192.168.10.1 255.255.255.0

interface GigabitEthernet0/5

description DMZ2

nameif DMZ2

security-level 50

ip address 192.168.20.1 255.255.255.0

DEFAULT ROUTES

• ASA needs default route for each ISP
• NAT configurations will handle choosing the actual egress interface after which the corresponding default route will be used

route ISP-1 0.0.0.0 0.0.0.0 1.1.1.1 1

route ISP-2 0.0.0.0 0.0.0.0 2.2.2.1 254

OBJECTS FOR NAT

• These "object" and "object-group" are created purely for the use of NAT configurations. They hold with them essential networks to make the NAT work.

object network LAN1

subnet 10.10.10.0 255.255.255.0

object network LAN2

subnet 10.10.20.0 255.255.255.0

object network DMZ1

subnet 192.168.10.0 255.255.255.0

object network DMZ2

subnet 192.168.20.0 255.255.255.0

object network ANY-0.0.0.0-1

subnet 0.0.0.0 128.0.0.0

object network ANY-128.0.0.0-1

subnet 128.0.0.0 128.0.0.0

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

BASIC NAT CONFIGURATIONS

• First we define a NAT that enables the LAN1/DMZ1 and LAN2/DMZ2 networks to connect between eachother with original IP addresses (ACLs still define what is allowed)
• Second we define LAN1/DMZ1 NAT configurations that defines that ALL networks are found behind ISP-1
• Third we define LAN2/DMZ2 NAT configurations that defines that ALL networks are found behind ISP-2
• The reason for the using the destination network ALL is that the NAT will force the traffic destined to ALL networks through a specific ISP interface. If the ASA would use the routing table to make this choice then ISP-2 would NEVER be used for outbound connections. Only possinble inbound connection (for which there is no NAT configurations below)

nat (LAN1,DMZ1) source static LAN1 LAN1 destination static DMZ1 DMZ1 description LAN1 to DMZ1 traffic UNNATED

nat (LAN2,DMZ2) source static LAN2 LAN2 destination static DMZ2 DMZ2 description LAN2 to DMZ2 traffic UNNATED

nat (LAN1,ISP-1) source dynamic LAN1 interface destination static ALL ALL description Default PAT for LAN1 ISP-1 traffic

nat (DMZ1,ISP-1) source dynamic DMZ1 interface destination static ALL ALL description Default PAT for DMZ1 ISP-1 traffic

nat (LAN2,ISP-2) source dynamic LAN2 interface destination static ALL ALL description Default PAT for LAN2 to ISP-2

nat (DMZ2,ISP-2) source dynamic DMZ2 interface destination static ALL ALL description Default PAT for DMZ2 to ISP-2

The VERY VERY IMPORTANT thing to notice with configuring such a NAT is that the NAT order will be playing an even bigger role than in normal users ASA configuration.

You will be essentially configuring all NAT configurations as Manual NAT in Section 1

So lets say you needed to add Static NAT for servers then those configurations would be added between the LAN -> DMZ and LAN/DMZ -> ISP NAT configurations. If they would simply be added wihtout ordering numbers then the Dynamic PAT configuration would override them.

So as you might see, this will create a configuration that will require a lot more carefull consideration when creating rules.

As its not officially supported way of accomplishing this from Cisco you might also be more likely to run into problems with the NAT configurations.

I will also have to say that this is not something that I have used in a production environment either, just briefly tested. Also I wrote this all out of my head so it might contain some typos or errors.

Hope this helps though

Please do remember to mark a reply as the correct answer if it answered your question.

Also feel free to ask more if needed

- Jouni

Corrected typo in the other "route" command

- Jouni

Thanks for testing this for users. I wanted to give your 5 stars but for some reason it does not allow me to go beyond 2. Any reason?