So are you saying that you want to use both ISP links at the same time?
If I am not totally wrong, there is no official way Cisco would recomend doing this. The only setup I think they support is using the other ISP as backup which only activates when the primary ISP fails.
Naturally when the ASA is virtualized into Multiple Context mode then you can use different ISPs for different Security Contexts.
And unofficial way of utilizing both ISPs would be to use the NAT configurations on the ASA to separate certain subnets/hosts traffic to certain ISP link.
Re: Cisco Asa 5515-X vlan base traffic segregation
The problem with this kind of setup if you are going to do it with a single ASA that is NOT virtualized is the fact that Cisco doesnt officially support this.
So I doubt you will be able to find a guide for this from Cisco.
However to give you an example what I have tested briefly for users here on Cisco Support Community
Lets say we have this situation
ASA running atleast 8.4(x) software level
2 ISP connections
2 LAN networks and 2 DMZ
Each LAN/DMZ pair would use different ISP link
Each LAN/DMZ pair should be able to access eachother
Lets then presume the following base information for the ASA
Interface names: ISP-1, ISP-2, LAN1, LAN2, DMZ1 and DMZ2
ISP1 - 22.214.171.124/29
ISP2 - 126.96.36.199/29
LAN1 - 10.10.10.0/24
LAN2 - 10.10.20.0/24
DMZ1 - 192.168.10.0/24
DMZ2 - 192.168.20.0/24
Then the very basic configurations (not all) should look something like this
Only examples, you could for example be using Trunk interface with or without Etherchannel
ip address 188.8.131.52 255.255.255.248
ip address 184.108.40.206 255.255.255.248
ip address 10.10.10.1 255.255.255.0
ip address 10.10.20.1 255.255.255.0
ip address 192.168.10.1 255.255.255.0
ip address 192.168.20.1 255.255.255.0
ASA needs default route for each ISP
NAT configurations will handle choosing the actual egress interface after which the corresponding default route will be used
route ISP-1 0.0.0.0 0.0.0.0 220.127.116.11 1
route ISP-2 0.0.0.0 0.0.0.0 18.104.22.168 254
OBJECTS FOR NAT
These "object" and "object-group" are created purely for the use of NAT configurations. They hold with them essential networks to make the NAT work.
object network LAN1
subnet 10.10.10.0 255.255.255.0
object network LAN2
subnet 10.10.20.0 255.255.255.0
object network DMZ1
subnet 192.168.10.0 255.255.255.0
object network DMZ2
subnet 192.168.20.0 255.255.255.0
object network ANY-0.0.0.0-1
subnet 0.0.0.0 22.214.171.124
object network ANY-126.96.36.199-1
subnet 188.8.131.52 184.108.40.206
object-group network ALL
network-object object ANY-0.0.0.0-1
network-object object ANY-220.127.116.11-1
BASIC NAT CONFIGURATIONS
First we define a NAT that enables the LAN1/DMZ1 and LAN2/DMZ2 networks to connect between eachother with original IP addresses (ACLs still define what is allowed)
Second we define LAN1/DMZ1 NAT configurations that defines that ALL networks are found behind ISP-1
Third we define LAN2/DMZ2 NAT configurations that defines that ALL networks are found behind ISP-2
The reason for the using the destination network ALL is that the NAT will force the traffic destined to ALL networks through a specific ISP interface. If the ASA would use the routing table to make this choice then ISP-2 would NEVER be used for outbound connections. Only possinble inbound connection (for which there is no NAT configurations below)
nat (LAN1,ISP-1) source dynamic LAN1 interface destination static ALL ALL description Default PAT for LAN1 ISP-1 traffic
nat (DMZ1,ISP-1) source dynamic DMZ1 interface destination static ALL ALL description Default PAT for DMZ1 ISP-1 traffic
nat (LAN2,ISP-2) source dynamic LAN2 interface destination static ALL ALL description Default PAT for LAN2 to ISP-2
nat (DMZ2,ISP-2) source dynamic DMZ2 interface destination static ALL ALL description Default PAT for DMZ2 to ISP-2
The VERY VERY IMPORTANT thing to notice with configuring such a NAT is that the NAT order will be playing an even bigger role than in normal users ASA configuration.
You will be essentially configuring all NAT configurations as Manual NAT in Section 1
So lets say you needed to add Static NAT for servers then those configurations would be added between the LAN -> DMZ and LAN/DMZ -> ISP NAT configurations. If they would simply be added wihtout ordering numbers then the Dynamic PAT configuration would override them.
So as you might see, this will create a configuration that will require a lot more carefull consideration when creating rules.
As its not officially supported way of accomplishing this from Cisco you might also be more likely to run into problems with the NAT configurations.
I will also have to say that this is not something that I have used in a production environment either, just briefly tested. Also I wrote this all out of my head so it might contain some typos or errors.
Hope this helps though
Please do remember to mark a reply as the correct answer if it answered your question.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...