01-22-2009 06:06 AM - edited 03-04-2019 12:56 AM
Right now, the office has an ASA5505 and a single ISP. That ASA has an IPSec tunnel to another ASA5505 at a remote site. We want to migrate the phone system to a hosted VoIP provider, so we are interested in a second ISP. I understand the ASA5505 does not to PBR or load balancing, but I'm looking for a creative method to have www/vpn traffic go out ISP-A and VoIP traffic go out ISP-B. Should ISP-B be unreachable, all VoIP traffic will rollover to ISP-A. The VoIP traffic is key, the www/vpn traffic does not need to be as reliable.
My thoughts were to use ISP-A as the default gateway, but have two route statements for the VoIP traffic. Assuming the VoIP provider is 65.1.2.3, I would have:
interface vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface vlan2
nameif isp-a
security-level 0
ip address 66.X.X.X 255.255.255.252
interface vlan3
nameif isp-b
security-level 0
ip address 72.X.X.X 255.255.255.252
route isp-a 0.0.0.0 0.0.0.0 66.X.X.X 1
route isp-b 65.1.2.3 255.255.255.255 1
route isp-a 65.1.2.3 255.255.255.255 2
I understand I will have to purchase the Security Plus license in order to use 3 VLANs at once, but will the above work?
Would I be better off using an ASA5505 or the 870 Integrated Services Router for this? I know the ASA will server better as a firewall and vpn endpoint, but which device will handle the dual ISP situation better, assuming ~20 users?
-Derek
01-24-2009 02:55 AM
Hello Derek,
the following configuration with two ISPs example can help
this can be a good starting point
I think you don't need the second route for VOIP if link to ISP-B fails it can follow the default route as other traffic.
Hope to help
Giuseppe
01-24-2009 03:00 PM
It was my understanding that the ASA5505 would not do Active/Active failover, only Active/Standby. Using the backup interface command would let me configure ISP-B for backup only. I would not be able to send data out ISP-A and ISP-B at the same time...
02-23-2009 12:36 PM
Active/Active vs Active/Standby is a function of HARDWARE failover, not connection/ISP failover. Just a heads up. Thanks
J
04-21-2009 02:17 PM
04-22-2009 04:21 AM
Yes, with the base license, you can have a backup ISP...NOT a load balance, nothing fun like that. But it is very easy to setup a second internet feed to come up in the event the primary drops and then switch back when the primary returns....through the use of SLA and track statements tied to the default route of the primary. Let me know if this is along the right track. Thanks
J
04-22-2009 10:46 AM
Yes, that is what I need, but the only examples I can find use a 3rd vlan with a 3rd nameif which I can't do with base license.
E
04-22-2009 10:49 AM
Yes, you need to create another nameif, such as backup...and then set 'no forward vlan xx' where xx is your primary nameif interface.
So you'd have inside (vlan1), outside (vlan99), and backup(vlan98), with backup set to 'no forward interface vlan99'. This will allow the inside to talk to both outside and backup, but backup can't talk to outside. This allows for dual ISP, but kills DMZ as per Ciscos intention. Thanks.
J
04-22-2009 10:51 AM
!
interface Vlan1
description Inside
nameif inside
security-level 100
ip address 192.168.70.1 255.255.255.0
!
interface Vlan98
no forward interface Vlan99
nameif backup
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface Vlan99
description Outside
nameif outside
security-level 0
ip address pppoe setroute
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx track 1
route backup 0.0.0.0 0.0.0.0 xx.xx.xx.xx 254
04-22-2009 10:58 AM
Yes, that is the example stated in numerous places, but with a base license you can not have a "nameif backup" as you are not allowed to name a 3rd vlan. The sales lit talks about having a backup ISP using 2 vlans, but i can find no reference anywhere on how.
tks
E
04-22-2009 10:59 AM
Yes, you can, but you have to put the no forward command first, then you can nameif it. I do this exact config all over the place and it works 100%. Thanks.
04-22-2009 11:02 AM
Ahhh. OK, will give it a go. Thanks
05-07-2009 11:54 AM
OK, a little while later and I am now able to get the 3 VLANs up, and I can get the default route moved to the new 3rd VLAN - a 2nd DSL install. Problem now is that even though I have left the VPN's on the original DSL and entered static routes, they do not come up. Config is attached. I am trying to get VPN's over "outside" and everything else over "dsl2".
05-07-2009 12:04 PM
Your nat and global statements are breaking this. Also, depending on the version of code, you may need to add static routes for those private nets, 192.168.5 and 10.11.1 through outside. Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: