Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
4
Helpful
3
Replies

ASA 5540 with 2 ISP's

dsciangula
Level 1
Level 1

‎05-17-2006 06:51 AM - edited ‎02-21-2020 12:54 AM

Can I connect 2 different ISP's to my ASA by creating 2 different "outside" interfaces?

If possible I would like to dedicate my existing T1 for email and use my new connection for browsing.

Also I have my existing T1 connected to a Cisco 2500 and regarding the new connection, they promise a RJ45 connection directly to the ASA for their Internet connection in our building.

Does anyone know if this is possible?

Thank you.

-Dominick

0 Helpful
3 Replies 3

a.kiprawih
Level 7
Level 7

‎05-17-2006 01:03 PM

Hi Dominic,

To achieve this, the ASA Outside (e0) interface need to be connected to a switch with dot1Q encap.

Create 2 sub-interfaces (need IPs from each T1's ISP) under Outside interface to host connection from 2 different links.

Next, you need a switch (put before ASA) to host 2 VLANs that will be used to connect those T1 links. Example - Vlan 10 & Vlan 20. Set the switchport connected to ASA Outside interface as trunk with dot1Q encap, and allow those 2 vlans to pass through.

For the existing T1, connect the RJ45 to the switch, and make sure the switch port belongs to one of those VLANs, example VLAN10.

For your new T1 link, connect the RJ45 to the switchport belongs to VLAN20.

Guide to create sub-interfaces:

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_guide_chapter09186a008054d463.html#wp1044006

Rgds,

AK

haithamnofal
Level 3
Level 3
In response to a.kiprawih

‎05-18-2006 02:07 PM

Hi AK,

Is there really a need to create sub-interfaces on the ASA? How about connecting the ASA to a L3 switch as the next hop and to let the switch take care of routing the traffic according to a configured policy-based routing?

Regards,

Haitham

0 Helpful

a.kiprawih
Level 7
Level 7
In response to haithamnofal

‎05-18-2006 08:27 PM

Hi Haitham,

Yes, I think you could use PBR. I have not use/try this method before (in this specific scenario), but it will be interesting to test/simulate it in the lab.

As you know, PBR allows you to:

- Classify traffic based on extended access list criteria. Access lists, then establish the match criteria.

- Route packets to specific traffic-engineered paths.

Policies can be based on IP address, port numbers, or protocols.

PBR config guide for L3 Switch:

http://www.cisco.com/en/US/partner/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801cddc5.html

PBR config guide for router:

http://www.cisco.com/en/US/partner/products/ps6350/products_configuration_guide_chapter09186a00800c75d2.html

PBR Scenario Example:

http://www.cisco.com/en/US/customer/tech/tk365/technologies_tech_note09186a008009481d.shtml

But the presense of Firewall will enforce better security, compared to logical VLAN separation between ISPs in a L3 device.

Pls give it a try, and hopefully it works. Good luck!

Rgds,

AK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card