Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Dual ASA dual ISP scenario

Hi,

I am wondering if it is possible to run a dual ASA dual (active) ISP scenario. Here is what I have to work with

-ASA 5510 Base

-ASA 5505 Sec+

-3560 L3 switch

-Two separate ISPs

What I would like to do is setup one ISP to run only voice traffic while the other ISP runs all other traffic. The 3560 would be attached to both ASA's, and would segment the network into separate VLANs (data, voice, etc). 

I am thinking that I could set the default gateway for the data VLAN to be the inside interface of one ASA, and set the default gateway for the voice VLAN to be the inside interface of other ASA. Would this work?

One thing that I am concerned about is how softphone traffic would be handled since I will have softphones on the data VLAN. Would there be some way to route softphone traffic to the IP PBX, which is in the voice VLAN, and then have it go out the ASA that is designated for voice?

Attached is a network diagram illustrating the situation.

Is this scenario feasible, or am I better off getting a router that can handle dual ISPs and PBR?

Thanks!

 

 

2 REPLIES
Super Bronze

Hi, Can your L3 switch do PBR

Hi,

 

Can your L3 switch do PBR? I mean if you had the LAN gateways on the L3 switch and you would configure PBR for each LAN that would bypass the traffic between the LAN networks and forward all other traffic from each LAN to their required ASA gateway.

 

If you also had the requirement that from the Data LAN some hosts would need to use the Voice ASA as the default gateway for external traffic then I guess that could also be achieved in the same PBR configurations. Though I have to say that I have only configured some simple PBR setups, mostly at home (some PCs using DSL connection while others use a 4G LTE connection) but with a quick glance online it would seem to me that it would be possible to achieve forwarding traffic from each LAN to their own gateway ASA and also selecting some hosts from the Data LAN to use the Voice ASA as gateway (if that was the requirement?)

 

Other setup could probably be so that if the L3 switch was purely acting as a L2 switch and each Vlan would be forwarded to their own ASA firewall. This would naturally handle them using the correct ASA/ISP as their gateway out of the internal network. If you still wanted to combine these networks I guess you could configure a third Vlan and use it to connect Data/Voice ASA firewalls. You could then have a route for the Voice LAN on the Data ASA and vice versa through the new Vlan link between the firewalls. The problem would ofcourse be if the requirement was that some Data LAN hosts Internet traffic would need to be forwarded to the Voice ASA (again unsure if this was a requirement) since the ASA doesnt support PBR. With new enough software running on the ASA could possibly enable you to achieve such operation through the use of NAT but naturally its not as ideal as doing with a router.

 

As I mentioned above the softphone/PBX is not familiar to me. Does the softphone form connections to the external network directly or does the PBX form the connections to the external network? I am totally clueless about Voice related subjects. :)

 

Hope this helps :)

 

- Jouni

Hi Austin,You can use your L3

Hi Austin,

You can use your L3 device to play a smart role here..... But i am not sure if that works for the softphone apllication.....

 

You can set a PBR to have the Data traffic routed through asa1 and voice traffic through asa2....

 

But your softphone will use the data traffic and it should hit the pbx which is on the LAN before it goes to ASA2..... 

 

does your soft phone client will have the information about IP PBX when it initiates the traffic?

 

But if you identify the required ports for the softphone traffic then you can set the specific rules in your PBR to get that redirected to ASA2.....

 

 

Regards

Karthik

 

171
Views
0
Helpful
2
Replies
CreatePlease to create content