12-11-2009 05:32 AM - edited 03-04-2019 06:56 AM
Greetings, ive currently got the following simple setup as per the image "Current.png". The ASA is configured with a single Global Pool and using PAT all outgoing traffic is translated to the interface IP address 1.1.1.2.
What i would like to achieve is add a second leased line to the equation from a different provider and use it to handle certain outgoing traffic from different internal networks but also if needs be use it as a backup link, at present im not too concerned with automatic failover but ill use tracked objects and ipsla to take care of this at a later point in time.
My current thinking is:
Note: For this example i have several VLAN's/Networks configured as inside interfaces with differing security levels.
Can anyone see a reason why this wouldn’t work?
Regards
Mark Rigby
Solved! Go to Solution.
12-11-2009 07:29 AM
markgrigby wrote:
Greetings, ive currently got the following simple setup as per the image "Current.png". The ASA is configured with a single Global Pool and using PAT all outgoing traffic is translated to the interface IP address 1.1.1.2.
What i would like to achieve is add a second leased line to the equation from a different provider and use it to handle certain outgoing traffic from different internal networks but also if needs be use it as a backup link, at present im not too concerned with automatic failover but ill use tracked objects and ipsla to take care of this at a later point in time.
My current thinking is:
Note: For this example i have several VLAN's/Networks configured as inside interfaces with differing security levels.
Can anyone see a reason why this wouldn’t work?
Regards
Mark Rigby
Mark
No, can't see any reason why that wouldn't work. However if the 1.1.1.3 address is assigned to your original ISP (ISP1) then return traffic will come back in on the s0/0/0 interface. So it will go out on s0/1/0 but come in on the other link.
If you want return traffic to come back down the same link you will have to PAT to one of the new provider addresses which may mean Natting the traffic either
1) soley on the router for ISP2
OR
2) double natting on the ASA and the router
Jon
12-11-2009 07:29 AM
markgrigby wrote:
Greetings, ive currently got the following simple setup as per the image "Current.png". The ASA is configured with a single Global Pool and using PAT all outgoing traffic is translated to the interface IP address 1.1.1.2.
What i would like to achieve is add a second leased line to the equation from a different provider and use it to handle certain outgoing traffic from different internal networks but also if needs be use it as a backup link, at present im not too concerned with automatic failover but ill use tracked objects and ipsla to take care of this at a later point in time.
My current thinking is:
Note: For this example i have several VLAN's/Networks configured as inside interfaces with differing security levels.
Can anyone see a reason why this wouldn’t work?
Regards
Mark Rigby
Mark
No, can't see any reason why that wouldn't work. However if the 1.1.1.3 address is assigned to your original ISP (ISP1) then return traffic will come back in on the s0/0/0 interface. So it will go out on s0/1/0 but come in on the other link.
If you want return traffic to come back down the same link you will have to PAT to one of the new provider addresses which may mean Natting the traffic either
1) soley on the router for ISP2
OR
2) double natting on the ASA and the router
Jon
12-11-2009 08:53 AM
Ah of course, thank you John, the traffic would most likely be general purpose HTTP so i dont have a problem NATing it twice.
Regards
Mark Rigby
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide