hi , wanted to configure 3 isp in cisco ASA.
with all being standalone.
is this possible with normal static routes towards specific default gateway.
and specific ips natted with that isp interface?
You can 100% connect three ISPs to an ASA, but you will need to understand that an ASA is firewall and no ta router.
Also, an ASA will not to policy-based routing (PBR).
Now, you could in theory have three interfaces on an ASA, one going to each ISP
Interface x -> ISP1
Interface y -> ISP2
Interface z -> ISP3
LAN Interface a -> LAN
You could then NAT to each ISP depending on subnet, and or do policy NAT.
Or you could have a router in front of the ASA connecting to these ISPs, and then have a /30 from the firewall to this router, and then you could nat based on any IP pretty easily.
You can put three default routes with the same administration distance. So you end up performing load balancing, but I'm not too sure how that will work.
If you wanted to do it this way, what I would do is, have the ASA go to a router that is attached to three ISP links. I would then setup your routing (link to the three different ISPs) on the router.
You can run into all inds of issues with an ASA, with three different ISP links. You may have to setup all kinds of NAT rules, ACLs ruels etc etc. I'm not saying it "wouldn't" work, but it could possibly be a pain.
i am not sure this will work , where can put 3 default routes, because asa will ask for administrative distance.
we are routing from an l3 switch and then to firewall over internet, there is not router after our firewall
is there any way still?
the best way is to do multiple context mode, have a router or a switch have floating static routes monitoring the ISPs Ips with SLA tracking and failing over.
So the customers will have a default gateway towards the vlan interface ip and switch will do the fail over.
ASAs do not support more than one active default gateway. Therefore to support three ISPs simultaneously you will need to enable multiple contexts on your firewall, one for each ISP. See below a link explaining the concept of contexts:
Don't forget to rate all posts that are helpful.
Good catch, I completely forgot about that.
So, you have three different physical interfaces on the ASA with each going to a different ISP? If this is the case, you could load balance based upon NAT.
I believe you could configure NAT in such a way, that you NAT certain ranges to go out ISP1, ISP2, and then ISP3.