I have a ASA5520 with one internal, one DMZ and two outside interfaces to be connected to two separate ISPs routers.
I would like to use both ISPs for internet traffic in one of these ways:
A) Route traffic based on source IP (separating desktop and server traffic and send each to one of the ISPs). In other words having two default gateways being selected based on source IP of the traffic from inside ...
B) Have two default gateways with different metrics so ISP 1 is default ISP for all desktops and servers but in case it fails, the ISP 2 link will be available, using:
route outside1 0 0 ISP1_Router 1 (higher metric)
route outside2 0 0 ISP2_Router 2 (lower metric)
Could someone let me know if any of the above methods A and/or B would work for me?
Yes, the ASA will allow multiple default gateways. However, there are a few catches:
1) If you have multiple default gateways that have been manually configured, like:
route outside 0.0.0.0 0.0.0.0 126.96.36.199 1
route outside 0.0.0.0 0.0.0.0 188.8.131.52 2
(two default gateways, 184.108.40.206 and 220.127.116.11 with distance metrics of 1 and 2 respectively)
Then the ASA will *always* use the default gateway with the lower distance metric. The ASA will never use the default gateways with the high distance metrics.
For this to work you need a routing protocol that maintains the routing table in the ASA. For the ASA this means that you need to use the OSPF routing protocol. The way this will work is that, when a route goes down, OSPF will remove the default gateway through that route, and the other default gateways will be used. When the route comes back up OSPF will re-add the route to the routing table.
2) The multiple routes should be reachable through the same interface. In other words, using one interface on the ASA for one route and another interface on the ASA for another route is strongly discouraged. The reason is that, if you are using two interfaces to reach your default gateways, and even if the ASA learns (via OSPF) that a route went down and the routing table changes, all the NAT translations and connections will be lost since they will be active for a specific pair of interfaces, like inside to outside1. As soon as the route out through outside1 is removed from the routing table, traffic will flow from
inside to outside2, and therefore new NAT translations and connections will have to be established.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...