Right now, the office has an ASA5505 and a single ISP. That ASA has an IPSec tunnel to another ASA5505 at a remote site. We want to migrate the phone system to a hosted VoIP provider, so we are interested in a second ISP. I understand the ASA5505 does not to PBR or load balancing, but I'm looking for a creative method to have www/vpn traffic go out ISP-A and VoIP traffic go out ISP-B. Should ISP-B be unreachable, all VoIP traffic will rollover to ISP-A. The VoIP traffic is key, the www/vpn traffic does not need to be as reliable.
My thoughts were to use ISP-A as the default gateway, but have two route statements for the VoIP traffic. Assuming the VoIP provider is 18.104.22.168, I would have:
ip address 10.0.0.1 255.255.255.0
ip address 66.X.X.X 255.255.255.252
ip address 72.X.X.X 255.255.255.252
route isp-a 0.0.0.0 0.0.0.0 66.X.X.X 1
route isp-b 22.214.171.124 255.255.255.255 1
route isp-a 126.96.36.199 255.255.255.255 2
I understand I will have to purchase the Security Plus license in order to use 3 VLANs at once, but will the above work?
Would I be better off using an ASA5505 or the 870 Integrated Services Router for this? I know the ASA will server better as a firewall and vpn endpoint, but which device will handle the dual ISP situation better, assuming ~20 users?
the following configuration with two ISPs example can help
this can be a good starting point
I think you don't need the second route for VOIP if link to ISP-B fails it can follow the default route as other traffic.
Hope to help
It was my understanding that the ASA5505 would not do Active/Active failover, only Active/Standby. Using the backup interface command would let me configure ISP-B for backup only. I would not be able to send data out ISP-A and ISP-B at the same time...
Active/Active vs Active/Standby is a function of HARDWARE failover, not connection/ISP failover. Just a heads up. Thanks
Yes, with the base license, you can have a backup ISP...NOT a load balance, nothing fun like that. But it is very easy to setup a second internet feed to come up in the event the primary drops and then switch back when the primary returns....through the use of SLA and track statements tied to the default route of the primary. Let me know if this is along the right track. Thanks
Yes, that is what I need, but the only examples I can find use a 3rd vlan with a 3rd nameif which I can't do with base license.
Yes, you need to create another nameif, such as backup...and then set 'no forward vlan xx' where xx is your primary nameif interface.
So you'd have inside (vlan1), outside (vlan99), and backup(vlan98), with backup set to 'no forward interface vlan99'. This will allow the inside to talk to both outside and backup, but backup can't talk to outside. This allows for dual ISP, but kills DMZ as per Ciscos intention. Thanks.
ip address 192.168.70.1 255.255.255.0
no forward interface Vlan99
ip address xx.xx.xx.xx 255.255.255.252
ip address pppoe setroute
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx track 1
route backup 0.0.0.0 0.0.0.0 xx.xx.xx.xx 254
Yes, that is the example stated in numerous places, but with a base license you can not have a "nameif backup" as you are not allowed to name a 3rd vlan. The sales lit talks about having a backup ISP using 2 vlans, but i can find no reference anywhere on how.
Yes, you can, but you have to put the no forward command first, then you can nameif it. I do this exact config all over the place and it works 100%. Thanks.
OK, a little while later and I am now able to get the 3 VLANs up, and I can get the default route moved to the new 3rd VLAN - a 2nd DSL install. Problem now is that even though I have left the VPN's on the original DSL and entered static routes, they do not come up. Config is attached. I am trying to get VPN's over "outside" and everything else over "dsl2".
Your nat and global statements are breaking this. Also, depending on the version of code, you may need to add static routes for those private nets, 192.168.5 and 10.11.1 through outside. Thanks.