Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Two ISP connections into an ASA 5510?

I have a client asking if this is possible:

Can I connect 2 wan connections from 2 isps to the ASA and have traffic mail traffic route through isp 1 and all other web traffic route through isp 2?

Would this be possible with multiple contexts on the firewall?

Thanks.

Dan

Edit: After talking to a co-worker and doing some research, it won't work directly into the ASA even w/ multiple contexts. I need to talk to this client (this was passed to me through one of our sales people) and try to convince them this using two ISP's will cause more problems then it's worth. Unless they want to use the second ISP for redundancy.

11 REPLIES

Re: Two ISP connections into an ASA 5510?

hi,

This wont work in ASA single mode, because it can handle only 1 default route at a time.

But it will work fine with ASA in multi context mode, with one Internet link in each context. But again you need to consider the limitations of ASA in context mode - you cannot use features like VPN, dynamic routing,etc.

New Member

Re: Two ISP connections into an ASA 5510?

Thanks for the reply.

I did get a chance to talk to the client yesterday and what they are looking for, the ASA doesn't supply. They want an all in one firewall. One that can handle dual ISP's, AV, anti spyware, IDS/IPS, etc. It sounds like they are more interested in a different FW solution (different vendor that is).

New Member

Re: Two ISP connections into an ASA 5510?

You can do everything you mentioned above with an ASA.

You can deploy the ASA with dual ISP's. There is a configuration example on the CCO. The ASA has two default routes with different priority's. The backup link will only be used if the primary link is unavailable.

You can do either the AV/Spyware OR the IDS/IPS but not both. The firewall has only 1 module slow so its one or the other.

New Member

Re: Two ISP connections into an ASA 5510?

I have a customer that wanted the same solution, which I was able to do with Cisco ASA's. I used two ASA5510 units, 1 with IPS, the other with CSC. The IPS unit I hooked up to both ISP's, using the SLA as described, their servers used one ISP, while the other acted as backup. Only problem is, if the server ISP failed, there is no way for inbound to get to the servers, but their internet was 100% backed up. If you were to setup dual DMZ with backup servers on the other ISP, then you have 100% backup protection. The CSC unit was behind the other ASA and their Data lan connected to that unit.

New Member

Re: Two ISP connections into an ASA 5510?

Hi,

You can terminate 2 ISP into ASA..See the config script:

=============================================

!

Interface eth0

nameif outside (primary isp link)

security-level 0

ip address 10.200.159.2 255.255.255.248

!

interface eth1

nameif backup (this is another isp link)

security-level 0

ip address 10.250.250.2 255.255.255.248

!

interface eth2

nameif inside

security-ledress 100

ip address 10.10.10.2 255.255.255.0

!

global (outside) 1 interface

global (backup) 1 interface

nat (inside) 1 10.10.10.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1

!

route backup 0.0.0.0 0.0.0.0 10.250.250.1 254

!

sla monitor 123

type echo protocol ipIcmpEcho 10.0.0.1 interface outside

num-packets 3

frequency 10

(configure a new monitoring process with id 123, specify the monitoring protocol & the target network object whose availability the tracking process monitors. )

!

sla monitor schedule 123 life fireever start-time now

!

track 1 rtr 123 reachability

!

New Member

Re: Two ISP connections into an ASA 5510?

Hi,

You can terminate 2 ISP into ASA..See the config script:

=============================================

!

Interface eth0

nameif outside (primary isp link)

security-level 0

ip address 10.200.159.2 255.255.255.248

!

interface eth1

nameif backup (this is another isp link)

security-level 0

ip address 10.250.250.2 255.255.255.248

!

interface eth2

nameif inside

security-ledress 100

ip address 10.10.10.2 255.255.255.0

!

global (outside) 1 interface

global (backup) 1 interface

nat (inside) 1 10.10.10.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1

!

route backup 0.0.0.0 0.0.0.0 10.250.250.1 254

!

sla monitor 123

type echo protocol ipIcmpEcho 10.0.0.1 interface outside

num-packets 3

frequency 10

(configure a new monitoring process with id 123, specify the monitoring protocol & the target network object whose availability the tracking process monitors. )

!

sla monitor schedule 123 life fireever start-time now

!

track 1 rtr 123 reachability

!

==========================================

You also can have IPS or Anti-Spyware feature in ASA one at a time..

plz rate if it helps

Re: Two ISP connections into an ASA 5510?

hi guys

the conifg u have posted only work in primary and backup while the question was about load balnce and load share the traffic

the thing is ASA dose not support it

aslo even with two context u can make only mail go to one ISP and other to other ISP

with cisco router we can easily do it by useing PBR policy based routing

but ASA dosnt not support this feature

thank you

if helpful Rate

Cisco Employee

Re: Two ISP connections into an ASA 5510?

Lets say customer has above setup, with ISP1 being the Primary ISP and ISP2 being the Secondary ISP.

I'm assuming that you all know how ISP failback is configured and how it functions. To summarize, in ISP failback all traffic goes out

using ISP1 and if it fails, ASA/PIX starts routing traffic via ISP2.

Scenario I

==========

Now, customer does not want to configure ISP failback, but he needs to route Web (port 80,443) traffic via ISP2 and all other traffic

via ISP1. This requires PBR, which is not supported on ASA/PIX, but we can configure a workaround on ASA/PIX to make it work.

Following are the commands which will achieve it-

route ISP1 0 0 1.1.1.2 //Default route pointing to ISP1

route ISP2 0 0 2.2.2.2 2 //Default route with Metric 2 via ISP2

static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80

static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443

sysopt noproxyarp inside

nat (inside) 1 0 0

global (ISP1) 1 interface

global (ISP2) 1 interface

Thats it !! Now all the traffic destined to any address on port 80/443 will be forcibly put on ISP2 interface and routed from there.

Note: This stuff requires that we KNOW what the destination ports are, if there is some traffic which uses dynamic ports, like voice traffic we will have to route it via ISP1 and cannot make it route via ISP2.

Scenario II

===========

In the same setup, if customer says that he wants half traffic to go via ISP1 and half traffic via ISP2, first you need to explain customer that ASA is NOT a load-balancer or packet-shaper. Hence we cannot *truly* achieve this, but we may configure ASA in such a manner that traffic for some destination IP address is routed via ISP1 and some is routed via ISP2. Following would be configuration commands in this scenario-

nat (inside) 1 0 0

global (ISP1) 1 interface

global (ISP2) 1 interface

route ISP1 128.0.0.0 128.0.0.0 1.1.1.2

route ISP2 0.0.0.0 128.0.0.0 2.2.2.2

The first creates a default route that routes addresses with the first bit of 1 to 1.1.1.2 of ISP1.

The second creates a default route that routes addresses with the first bit of 0 to 2.2.2.2 of ISP2.

Note: This will do traffic routing based on *Destination* IP addresses and NOT based on traffic load. As I mentioned, ASA is NOT a packet-shaper.

There are few more setups regarding which I have sent emails.

Marva,I am sure you would rate..not a 3 though. :)

Regards,

Sushil

Re: Two ISP connections into an ASA 5510?

hi Sushil

this is 5+ :)

but i only want a simple disecription regarding first way

why did u use the nating like that

i mean

(outisde,inside) not (inside,outside) and what is the benifit from the command sysopt noproxyarp inside here ?

thanks

Marwan

New Member

Re: Two ISP connections into an ASA 5510?

I have a question regarding the dual ASA setup

I have a cust who wants to add a second ISP to his ASA...the A records for translations will have ISP1 as primary and ISP2 as secondary...how do i translate 2 different outside IP addresses to the webserver

thanks

Cisco Employee

Re: Two ISP connections into an ASA 5510?

static (INSIDE,ISP1)

static (INSIDE,ISP2)

Regards,

Sushil

930
Views
30
Helpful
11
Replies
CreatePlease to create content