I'm making a lab to provide two Internet connections to my network environment. Topology and configuration files are attached. Let me try to explain you:
I have two ISP connections with their respective CIDRs (IP address block);
I won't allocate a public AS;
My connections must provide traffic inside to outside (users navigating in Internet) and vice-versa (servers in a DMZ).
My routers are both configured with HSRP (two groups). The A router is primary for one address and the B router is primary for the other one. I put two default routes on the ASA pointing to the two VIPs.
On my DMZ, I have one FTP server. ASA is configured with enabled NAT control. So, I created a static NAT to permit external users to connect to this server. Access control was already made.
I'm facing a problem. Even with ASA having two default routes, it insists to use only one. My tests showed me that it was using only one of the two VIPs. Plus, I'll provide VPN access in this same ASA box.
So, I'm asking you to help me to find a configuration of this environment so I can both provide traffic from and to Internet as long as VPN too.
1. Yes, I can ping both of VIPs. HSRP is running correctly.
2. Yes. If I remove one of the default routes, ASA starts using the other one. There is not a "current" default route as long as it shows me that both are installed on the routing table.
As I can realize, ASA chooses one route for each traffic origin or destination. Let's suppose that I had another server. If my current server is using the route through 184.108.40.206, the second one could use through 220.127.116.11. Do you get me?
I'd like to confirm if this thought is correct or if is there really something else to configure on ASA or routers.
Any other suggestion of topolology and configurations are very welcome!
Multiple default gateway (load balance) on ASA is not just base on first connection goes through the first route and the next goes to the second route. It has the load balancing algorithm that takes into account both source and destination ip addresses. Therefore, the more traffic through and the more combination of source and destination ip addresses, the more you will see the load balance happening on the ASA default gateway.
Just Adding something to what halijenn said, the firewall wont be able to support this kind of load balancing. It would only rely on the other routes under high load of traffic, it is not like is going to send a packet or stablish a session on one default gateway and the second is going to the second default gateway.
The only thing that you can really use this other link would be for backup using SLA monitor. Now, if what you really want to do is load balancing, I think something that you can do is put a l3 device that can support route maps and PBR in the middle of the HSRP routers and the ASA so you can send different types of traffic depending on source, destination or both in order to accomplish the load balancing that you are looking for.
I got the advice. However, how could I solve my problems? I won't allocate any other device besides these ones that you see in the topology picture. Couldn't I make PBR on the HSRP routers?
Don't forget that I still need to provide VPN access, so, my two links have to be able to handle such traffic.
Have you seen configuration files? Have you seen that I'm making a different NAT setup? Will my IPSec tunnels work?
I guess this topology would be a common request. Not all people are able to "buy" a public AS, so, options would come easily. Cisco's competitors deploy load balancing between different ISPs in small boxes, so, why am I not able to do it in ISR routers and ASA?
I count very much on you because I can't find a feasible configuration to make this work.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...