cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
865
Views
0
Helpful
13
Replies

Small office with dual-ISP (ASA or 871)

dbrown
Level 1
Level 1

Right now, the office has an ASA5505 and a single ISP. That ASA has an IPSec tunnel to another ASA5505 at a remote site. We want to migrate the phone system to a hosted VoIP provider, so we are interested in a second ISP. I understand the ASA5505 does not to PBR or load balancing, but I'm looking for a creative method to have www/vpn traffic go out ISP-A and VoIP traffic go out ISP-B. Should ISP-B be unreachable, all VoIP traffic will rollover to ISP-A. The VoIP traffic is key, the www/vpn traffic does not need to be as reliable.

My thoughts were to use ISP-A as the default gateway, but have two route statements for the VoIP traffic. Assuming the VoIP provider is 65.1.2.3, I would have:

interface vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

interface vlan2

nameif isp-a

security-level 0

ip address 66.X.X.X 255.255.255.252

interface vlan3

nameif isp-b

security-level 0

ip address 72.X.X.X 255.255.255.252

route isp-a 0.0.0.0 0.0.0.0 66.X.X.X 1

route isp-b 65.1.2.3 255.255.255.255 1

route isp-a 65.1.2.3 255.255.255.255 2

I understand I will have to purchase the Security Plus license in order to use 3 VLANs at once, but will the above work?

Would I be better off using an ASA5505 or the 870 Integrated Services Router for this? I know the ASA will server better as a firewall and vpn endpoint, but which device will handle the dual ISP situation better, assuming ~20 users?

-Derek

13 Replies 13

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Derek,

the following configuration with two ISPs example can help

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

this can be a good starting point

I think you don't need the second route for VOIP if link to ISP-B fails it can follow the default route as other traffic.

Hope to help

Giuseppe

It was my understanding that the ASA5505 would not do Active/Active failover, only Active/Standby. Using the backup interface command would let me configure ISP-B for backup only. I would not be able to send data out ISP-A and ISP-B at the same time...

Active/Active vs Active/Standby is a function of HARDWARE failover, not connection/ISP failover. Just a heads up. Thanks

J

That config requires Sec+ license. There are several "sales" references to being able to have backup ISP with the base license (see .jpg). Has anyone accomplished this or know here to see sample config? Thanks.

Yes, with the base license, you can have a backup ISP...NOT a load balance, nothing fun like that. But it is very easy to setup a second internet feed to come up in the event the primary drops and then switch back when the primary returns....through the use of SLA and track statements tied to the default route of the primary. Let me know if this is along the right track. Thanks

J

Yes, that is what I need, but the only examples I can find use a 3rd vlan with a 3rd nameif which I can't do with base license.

E

Yes, you need to create another nameif, such as backup...and then set 'no forward vlan xx' where xx is your primary nameif interface.

So you'd have inside (vlan1), outside (vlan99), and backup(vlan98), with backup set to 'no forward interface vlan99'. This will allow the inside to talk to both outside and backup, but backup can't talk to outside. This allows for dual ISP, but kills DMZ as per Ciscos intention. Thanks.

J

!

interface Vlan1

description Inside

nameif inside

security-level 100

ip address 192.168.70.1 255.255.255.0

!

interface Vlan98

no forward interface Vlan99

nameif backup

security-level 0

ip address xx.xx.xx.xx 255.255.255.252

!

interface Vlan99

description Outside

nameif outside

security-level 0

ip address pppoe setroute

global (outside) 1 interface

global (backup) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx track 1

route backup 0.0.0.0 0.0.0.0 xx.xx.xx.xx 254

Yes, that is the example stated in numerous places, but with a base license you can not have a "nameif backup" as you are not allowed to name a 3rd vlan. The sales lit talks about having a backup ISP using 2 vlans, but i can find no reference anywhere on how.

tks

E

Yes, you can, but you have to put the no forward command first, then you can nameif it. I do this exact config all over the place and it works 100%. Thanks.

Ahhh. OK, will give it a go. Thanks

OK, a little while later and I am now able to get the 3 VLANs up, and I can get the default route moved to the new 3rd VLAN - a 2nd DSL install. Problem now is that even though I have left the VPN's on the original DSL and entered static routes, they do not come up. Config is attached. I am trying to get VPN's over "outside" and everything else over "dsl2".

Your nat and global statements are breaking this. Also, depending on the version of code, you may need to add static routes for those private nets, 192.168.5 and 10.11.1 through outside. Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: