Guys, neeed some help here:
1- My company has one ASA 5510 configured with Site-to-site VPN, Ipsec Cisco VPN and AnyConnect VPN.
2- We use ASA to connect to the single ISP (ISP 1) for internet access. ASA does all the NATing for internal users to go out.
3- A second link is coming in and we will be using ISP 2 to loadbalance traffic to internet (i.e. business traffic will go via ISP1 and “other” traffic will go via ISP2).
4- A router will be deployed in front of the ASA to terminate internet links.
5- No BGP should be used to implement policy (traffic X goes via ISP1, traffic Y goes via ISP2).
How do I get this done, particularly, how do I tell the router, for traffic X use ISP1 and for traffic Y use ISP2? PBR is my friend?
Since I will be having 2 public Ip Addresses from the 2 ISPs, how do I NAT internal users to the 2 public Ip addresses ?.
Finally, which device should be doing the NATing? The ASA just like now or move NATing to the Router?
Solved! Go to Solution.
I misread it.. I was under impression that you want to buy router due to second ISP. If it is must to go with 'router' based solution, then you may be able to but all your NAT and other config may need to be moved to router and ASA may be just a transperant device. Wait for experts solutions.
PS: Do not rate the posting 'correct' if the issue is not resolved. Majority may not read it :-).
Thanks for keeping on top of this...
still waiting for experts to confirm...in the meantime, can you send some basic config samples in terms of how this set up should look like? Can you address the issues regarding identifying business traffic and pointing it ti ISP1 and the rewst to ISP2.
Check the below link, it gives information on trasperant fw config and limilations. Based on the doc, you may need to move the VPN /anyconnect to router as well. From the routr end you may be able to set up static routes pointing to diff ISP based on traffic needs but this will be compleicated setup and can break things. Wait for other suggestions or if possible stick to ASA to terminate both links and still route the traffic to diff ISPs (Saves the router cost as well).
Thanks for the doc and feedback.Well, I found another doc, pretty straighforwrd, about ASA + Router config with Dual WAN connections. Cool stuff really and easy. There is a catch though!. In the doc, the guy uses private ip adresses but that really misses the point because what is the point of giving an example with private ip address (to make things simple the guy said...), when I trying to find a solution to connect to Internet? I can not use these ip addresses when I connecting with 2 ISPs...I would like to see an example with real public ips.
Good.. you got the right info. I guess you are planning to move the existing ISP link to router as well. Did you talk to both ISPs and figure out what and how many IPs they assign?
While the document I sent to you is a good starting point, now the hard part begins.
permit tcp any any range 1000 3000
permit tcp any host 18.104.22.168 eq 443
How do you translate those rules?
Once I am done with that I willconfigure my router to tell it if traffic comes from this(translated ip add) send to ISP1....and if it comes from this other (translated ip add) send to ISP2.