Jon, thank you for answering.

You mentioned that you can't have 2 active default routes, but does that also apply for purely incoming traffic? the setup  of LAN to WAN is quite simple, all traffic goes through the cable (to keep it simple, lets name  DSL "WAN1" and cable "WAN2") and WAN1 will be idle.

WAN to LAN is the big issue; bSMTP will be send to WAN1 and a few other services to WAN2.

I used to solve this whole issue by using a Hotbrick VPN 800/2G appliance, but I need a more stable platform (Cisco) with about the same specs.

Two ASAs would be nice, but I work in the healthcare sector, which means limited budget. The specs of the ASA 5510 were looking good, until I stumbled over this whole 'dual ISP' issue.

If the 5510 won't do the job for me, can you direct me in the right path for an other Cisco device?

Marco.

m.binnendijk wrote:
Jon, thank you for answering.
You mentioned that you can't have 2 active default routes, but does that also apply for purely incoming traffic? the setup  of LAN to WAN is quite simple, all traffic goes through the cable (to keep it simple, lets name  DSL "WAN1" and cable "WAN2") and WAN1 will be idle.
WAN to LAN is the big issue; bSMTP will be send to WAN1 and a few other services to WAN2.
I used to solve this whole issue by using a Hotbrick VPN 800/2G appliance, but I need a more stable platform (Cisco) with about the same specs.
Two ASAs would be nice, but I work in the healthcare sector, which means limited budget. The specs of the ASA 5510 were looking good, until I stumbled over this whole 'dual ISP' issue.
If the 5510 won't do the job for me, can you direct me in the right path for an other Cisco device?
Marco.

Marco

Not sure i fully understand about what you mean by WAN to LAN. Could you perhaps provide a quick topology diagram or explain in bit detail. Is all your traffic incoming and if so are you referring to 2 default-routes pointing to the LAN side.

Apologies it's just not very clear.

In answer to your question a router is really what you need for this so you can do PBR and direct the traffic where you want. But before that can we make sure i fully understand what you are trying to do in case your ASA will do the job.

Jon

Hello Jon,

I've added a quick sketch, it gives you a basic (simplified) idea of our network topology.

What I meant by WAN to LAN was 'incoming traffic'. The DSL line is used for receiving mail from an external spamfilter and acts as a backup line in case the cable-connection goes down.

The cable connection is used as our general connection to the internet, it handles all outgoing traffic, as well as a few incoming services as https, OWA, ftp and such. It's also the connection used for VPN.

The to-be-replaced Hotbrick appliance is a sort of router/firewall and VPN device; the ASA 5510 (or another appliance) should replace the unit.

I hope this clears a few things up, if not, please let me know!

Greetings,

Marco.

Thanks, that does clarify things.

Is your mail always coming from the same external machine ie. the SPAM filter ? If it is then you can simply add an explicit route on the ASA firewall for this public IP ie.

route (interface connecting to ISP1) 255.255.255.255

that would work if all incoming mail comes from that one machine. I assumed your mail could come from any mail server on the internet hence the reason you needed 2 default-routes.

Jon

Hello Jon,

Our email is indeed delivered to us by just one single remote machine, the spamfilter. So as I can read the ASA 5510 can be the right appliance to go for in our case! I'm quite pleased with that as it allows growth for the future and offers all functions we need as VPN and port forwarding and the like.

Just one last question, do you have any idea if the standard unit is sufficient, or do I need seperate licenses to cover my initial 'solved by Jon' issue? I know virusprotection and the like aren't included -and I don't need that just yet-. (somehow I can't find a clear description about those addon licenses).

Thank you so much for your help!

Marco.