Well as far as I know you can do that well on a router but on the asa/pix you can set the multiple static routes with the same metric/cost.
This will not work as well as on the router but you know hehehe its a firewall not a router :)
If you find it interesting please rate :)
You can achieve this goal on the router. Are you using multiple ISPs terminating on the same router?
IMHO: For best way you can use load-sharing mechanism with policy base routing feature on the router. Let me explain further you can give vlan/subnet 2-5 go to ISP_1 and vlan/subnet 6-10 go to ISP_2 with source-route of policy base routing feature. Now you can control out-bound traffics go to ISPs. I don't think multiple default route will be good solution for multiple ISPs because are you sure the packets of 1 session go to the same ISP at a time.
Hope this helps
The process is simple ( If there is 1 DMZ )-
The PIX / ASA can handle only 1 outside route.
Therefore this route has to be your Internet router's Ethernet Address.
On the internet router put 1 default outside route towards ISP1 ( the ISP on which the DMZ is hosted )
Then put 1 Route-map on the Ethernet Interface of the router which is on the same subnet as the PIX outside.
This routemap will define that if a particular traffic has to be sent to ISP B, match that with an ACL ( this will be the public IP of ISP B ) with the source IP of the subnet which has to be routed via ISP B.
Set the next hop as the WAN interface of ISP B
You are done.
So guys, is it advicable not to NAT at the firewall and do the NATting at the router and use the appropriate switching method on the router to route traffic.
This is what I think you are trying to suggest for this problem.
Thanks and regards,
The NAT should be done on the firewall.
On the firewall
192.168.1.0 NAT outside IP of ISP A (220.127.116.11 )
192.168.2.0 NAT outside IP of ISP B
On the internet router
put default route to WAN IP of ISP A
put policy route for packet originating with source IP 18.104.22.168 - next hop WAN IP of ISP B
Loadbalancing will happen based on Subnets.
*** Loadbalancing ***
Say internal subnet A - 192.168.1.0 will be routed via Link A
( Using the Default route & NAT for Link A )
internal subnet B - 192.168.2.0 will be routed via Link B
( Using the Policy Route & NAT for Link B )
*** For Failover *** - YOu have to do the following & it is manual :(
(Since you are not running BGP config where
both ISPs can route each other's traffic )
Change route & Change NAT. May be a little confusing.
If Link A goes down - Change default route on the internet router to Link B
Change the NAT config for Subnet A & add the it to pool B
If Link B goes down - Remove the Policy route from the Internet router so that all traffic is diverted to the Link A
Change the NAT config for Subnet B & add the it to pool A
Let me know if you have any doubts
HTH - Please rate all useful posts