Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

loadbalancing with Dual ISP

Hi,

Iam using ASA5510 and I want to configure my ASA to work with 2 ISP ( one with HTTP/HTTPS traffic - the second for all rest of traffic )
I know this is not a supported configuration but there is some workaround like i read on this post :

https://supportforums.cisco.com/docs/DOC-15622

I try the solution 2 : route traffic bases on destination ports with 2 default routes ( with metric 1 and 2) but it doesn't work!
I try to simulate this situation with packet tracert tool and when I send an http packet on the second WAN, the packet is still send on the 1st WAN link.


Is there someone who already success with this configuration ?

Thank you

I join my network schema to this post.

4 REPLIES
Super Bronze

loadbalancing with Dual ISP

Hi,

Did you also use the NAT configurations in the document? They are the configurations that will actully redirect the HTTP and HTTPS traffic through the other ISP while naturally the secondary default route will also be required.

If you have ASA running 8.3 or newer software then it would be easier. Mainly because of the new NAT configuration format.

I have not tested this on 8.2 or older software.

- Jouni

Community Member

loadbalancing with Dual ISP

Yes I try all the solutions with NAT and default routes in the document and I have ASA running on 8.2.

Super Bronze

loadbalancing with Dual ISP

Hi,

What does a "packet-tracer" commands output say when you try simulating a HTTP connection from LAN to WAN?

For example something like

packet-tracer input inside tcp 12345 1.1.1.1 80

If the NAT is configured correctly then you should see a UN-NAT Phase which should forward the connection through the correct ISP link.

- Jouni

Community Member

loadbalancing with Dual ISP

Here is the result of the command " packet-tracer input inside tcp 12345 1.1.1.1 80

We can see that the packet is forward through ISP1 and not ISP2 as I want.

Result of the command: "packet-tracer input LAN tcp 192.168.1.3 12345 2.2.2.2 80"

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         WAN

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (LAN,WAN2) tcp interface www 192.168.1.3 www netmask 255.255.255.255

match tcp LAN host 192.168.1.3 eq 80 WAN2 any

   static translation to 200.1.1.69/80

   translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN) 1 192.168.1.0 255.255.255.0

match ip LAN 192.168.1.0 255.255.255.0 WAN any

   dynamic translation to pool 1 (WAN [Interface PAT])

   translate_hits = 5, untranslate_hits = 0

Additional Information:

Dynamic translate 192.168.1.3/12345 to WAN/1025 using netmask 255.255.255.255

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 43, packet dispatched to next module

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN

output-status: up

output-line-status: up

Action: allow

234
Views
0
Helpful
4
Replies
CreatePlease to create content