I am wondering if it is possible to run a dual ASA dual (active) ISP scenario. Here is what I have to work with
-ASA 5510 Base
-ASA 5505 Sec+
-3560 L3 switch
-Two separate ISPs
What I would like to do is setup one ISP to run only voice traffic while the other ISP runs all other traffic. The 3560 would be attached to both ASA's, and would segment the network into separate VLANs (data, voice, etc).
I am thinking that I could set the default gateway for the data VLAN to be the inside interface of one ASA, and set the default gateway for the voice VLAN to be the inside interface of other ASA. Would this work?
One thing that I am concerned about is how softphone traffic would be handled since I will have softphones on the data VLAN. Would there be some way to route softphone traffic to the IP PBX, which is in the voice VLAN, and then have it go out the ASA that is designated for voice?
Attached is a network diagram illustrating the situation.
Is this scenario feasible, or am I better off getting a router that can handle dual ISPs and PBR?
Can your L3 switch do PBR? I mean if you had the LAN gateways on the L3 switch and you would configure PBR for each LAN that would bypass the traffic between the LAN networks and forward all other traffic from each LAN to their required ASA gateway.
If you also had the requirement that from the Data LAN some hosts would need to use the Voice ASA as the default gateway for external traffic then I guess that could also be achieved in the same PBR configurations. Though I have to say that I have only configured some simple PBR setups, mostly at home (some PCs using DSL connection while others use a 4G LTE connection) but with a quick glance online it would seem to me that it would be possible to achieve forwarding traffic from each LAN to their own gateway ASA and also selecting some hosts from the Data LAN to use the Voice ASA as gateway (if that was the requirement?)
Other setup could probably be so that if the L3 switch was purely acting as a L2 switch and each Vlan would be forwarded to their own ASA firewall. This would naturally handle them using the correct ASA/ISP as their gateway out of the internal network. If you still wanted to combine these networks I guess you could configure a third Vlan and use it to connect Data/Voice ASA firewalls. You could then have a route for the Voice LAN on the Data ASA and vice versa through the new Vlan link between the firewalls. The problem would ofcourse be if the requirement was that some Data LAN hosts Internet traffic would need to be forwarded to the Voice ASA (again unsure if this was a requirement) since the ASA doesnt support PBR. With new enough software running on the ASA could possibly enable you to achieve such operation through the use of NAT but naturally its not as ideal as doing with a router.
As I mentioned above the softphone/PBX is not familiar to me. Does the softphone form connections to the external network directly or does the PBX form the connections to the external network? I am totally clueless about Voice related subjects. :)
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...