Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Multiple ISP's single Firewall

I have a customer that wants the use a failover pair of Cisco ASA firewall's and have 2 ISP links from different ISP?s.

One link will be a primary link for all web traffic, and in the event of this failing they want to use the secondary ISP link for incoming and outgoing e-mail traffic.

Are there any features on the ASA that would allow this configuration to be achieved in relation to public IP addresses, MX Records, NAT and default gateways?.?

Both Checkpoint and Watchguard firewalls, support these features for multiple WAN/ISP connections.

2 REPLIES

Re: Multiple ISP's single Firewall

Hello Ian,

Multihoming is not possible with ASA as of now. in case of failure of 1st link, u need to manually change the NAT/static statements for the traffic to flow via the second link... you can have only one default gateway on the firewall...

anyway, if you want to specifically divert only smtp traffic to the second link, u can do it,by adding specific routes for the mail server to the second link and having the default route to the first link.. even here, in case of failure, we need to manually change the configs on the firewall to make it work...

best way is to implement BGP on the outside router and do multihoming there instead of doing it on the firewall....

hope this helps.. all the best...

Raj

Re: Multiple ISP's single Firewall

Hi .. you could follow the below link for configuring multihomed configuration which is basically a combination of BGP at the edge routers and OSPF between the edge routers and the ASAs and default routes injected from BGP to the OSPF with different metrics .. having the main link the preference. A private addressing could be configured between the edge routers and the outside interface of your ASAs.

In regards to the static NAT you could add a second NIC to your email server and allocate a secondary private IP address to it. You could then create two static translations on the ASA with two different public addresses ( according to the ISPs ) and map each one to the respective NIC of your email server.

There will be 2 MX records for your domain with different priorities in case MX 1 ( email server with IP address 1 ) is not reachable when link IPS1 one goes down.

Now .. when link ISP1 is OK then NIC 2 of your email server will need to be disabled. When link ISP1 is down (assuming ISP2 2 is OK )then NIC 1 needs to be disabled and NIC 2 will need to be enabled. I can't think of another work around it right now .. :-)

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00800945bf.shtml#conf4

233
Views
0
Helpful
2
Replies
CreatePlease login to create content