Dual ISP Setup
How can an ASA5510 be used to connect a network to the Internet using dual ISPs?
DSL Circuit to ISP 1 (126.96.36.199/255.255.255.0)
T1 circuit to ISP 2 (188.8.131.52/255.255.255.0)
Internal network with non-routable address space (10.10.10.0/255.255.255.0).
The goals are:
a) is to be able to load balance across the two connections
b) to be able to connect from the outside using both connections (VPN to each external interface independently).
Yes. I know.. there are other posts. I've already read all the other ones on the subject and still don't have a satisfactory answer.
Right now, the setup is as follows:
ip address 184.108.40.206 255.255.255.0
ip address 220.127.116.11 255.255.255.0
ip address 10.10.10.1 255.255.255.0
global (DSL) 30 interface
global (TEE) 30 interface
nat (Internal) 30 10.10.10.0 255.255.0.0
The next hop gateway for the DSL circuit is 18.104.22.168
The next hop gateway for the T1 ISP is 22.214.171.124
When the route is as follows:
route DSL 0.0.0.0 0.0.0.0 126.96.36.199 1
Then the connections are NAT'ed and routed out of the DSL interface.
When the route is as follows:
route TEE 0.0.0.0 0.0.0.0 188.8.131.52 1
Then the connections are NAT'ed and routed out of the T1 interface.
I've put the ISP's on seperate interfaces so that the NAT functionality can switch over correctly.
When the route is switched to DSL, NAT changes to using the DSL IP. When the route is changed to the T1, NAT changes to use the T1 IP.
As most know, the problem is two default routes cannot be defined on the ASA. So one has to choose between one or the other circuit. Route tracking can also be setup for failover. But that doesn't solve the problem.
So the question is, how can this be done?
I've read some of some possible solutions, but as I mentioned, nothing seemed definite:
Using OSPF routing?
Multiple context with some load balancing between multiple contexts?
Some sort of fancy arp mechanism?
Having a seperate router that can route based on Source IP?
Getting a cheapo dual wan router to share the circuits?
Thanks for all replies.
Unfortunately,ASA cannot do the load balancing.
However,I believe you must have read about the ISP fallback feature where one link remains
active and the other ISP link act as a standby link.In case the active link fails,then the
stadby link start pasisng the traffic.So,there's bare minimum disruption of service.
Here's a link which explains ISP fallback in detail :
The major issue here is the source based routing which is not supported by pix/asa.
For the internet traffic,we need to setup a default route.
route outside 0 0 184.108.40.206
considering 220.127.116.11 as the default gateway.
So,all the traffic will be sent to this default gateway.
We cannot tell the firewall,let's say:
to send the traffic to isp1 interface when the source is vlan1.
and to send the traffic to isp2 interface when the source is vlan2.
So,even if you create two vlan's on the inside and divide the internal traffic to go to
two different isp links,it'll not be a viable option as asa only understand the
destination based route.As detination is internet traffic,a common segment on the two isp
links,we get a route conflict.
The only viable option is to configure active/active failover with two isp links.Configure
two contexts on the asa's.Let's say,
ON ASA1 :context A would be the active / context B would be standby.
ON ASA2 :context B would be the active / context A would be standby.
So,by this you can send the traffic from vlan1 through the context A.
And the traffic from vlan2 through context B.
Here are few links which explains configuration active/active failover ( Multiple context
in detail ) :
d/general/contexts.htm ( Multiple context general )
d/general/mngcntxt.htm ( Adding and managing security contexts )
d/general/failover.htm#wp1096075 ( Configuring active/active failover )
I've used load balancing with two ISPs.
After my ASA I put two routers, every router attached on a ISP and ASA is configured with two default routes.
Everthing work out fine but there are some issues about Inbound connections that you have to pay attention.
The only way to load balance outbound is to have two routes of equal cost. Since you can not have 2 default routes with the equal cost on the ASA, you simply can not do it.
Failover using the track command is the only option with an ASA at this point in time.
I am confused about your statement:
"ince you can not have 2 default routes with the equal cost on the ASA, you simply can not do it."
In the ASA Configuration Guide
"You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry."
As people have mentioned, you can't use your ASA to *actively* use both your ISP's at the same time. Your best bet, if you want to use both ISP's, is to purchase a router to stick outside the FW. Once you have a router outside your firewall you will have multiple options to fulfill your requirements.
I run a similar setup where I have a router outside my firewall, and I use a route-map on the router to point traffic to different ISP's depending on the NAT groups the traffic is coming from on the ASA. It works great.
The following document might be worth going through:
Let me know if that helps.