Solved: ASA 5510 Dual ISP configuration

Elango Murugan · ‎07-14-2011

I have existing Sonic FW in my company we are moving from sonic FW to ASA 5510 Security plus lice. I have two ISP currently connected to sonic Firewall I am planning to implement Dual ISP configuration on ASA5510.

Here is my script:-

interface vlan 2

description Primary ISP interface

nameif outside

security-level 0

ip address x.x.x.224 standby x.x.x.?x.x.x.?what ip address I have you give here

backup interface vlan 4

no shutdown

interface vlan 1

nameif inside

security-level 100

ip address x.x.x.1 255.255.255.0

no shutdown

interface vlan 3

nameif dmz

security-level 50

ip address x.x.x.1 255.255.255.0

no shutdown

interface vlan 4

description Backup ISP interface

nameif backup-isp

security-level 0

ip address x.x.x.18 standby x.x.x.? .x.x.?what ip address I have you give here

no shutdown

interface vlan 5

description LAN Failover Interface

no shutdown

failover

failover lan unit primary

failover lan interface faillink vlan5

failover lan faillink vlan5

failover polltime unit 3 holdtime 10

failover key key1

failover interface ip faillink 10.x.x.1 255.255.255.0 standby 10.x.x.2

nat (inside) 1 0 0

nat (home) 1 0 0

global (outside) 1 interface

access-list natexmpt-inside extended permit ip any x.x.x.0 255.255.255.0

access-list natexmpt-home extended permit ip any x.x.x.0 255.255.255.0

nat (inside) 0 access-list natexmpt-inside

nat (home) 0 access-list natexmpt-home

track 1 rtr ISP1 reachability

route outside 0 0 x.x.x.234 1 track 1

route backup-isp 0 0 x.x.x.154 2

Please advice thanks

alagu.raja · ‎08-26-2011

Hi Varun,

I have the same situation to configure.

I have two ASA- 5510 Security + licenses

2 ISP links and one 2960-L2 switch. With this i believe i can configure the Dual ISP with Active/Standby as discussed earlier.

However i have got confusion on physical link connectivity. Also will i need to have L3 switch for connecting ISP links ir L2 is enough.

I have attached my solution . Could you please help and confirm. Also i need to know how many VLAN need to have in that switch.

Thanks

Alaguraja

View solution in original post

varrao · ‎07-14-2011

Hi Elango,

You would need the following configuration for dual ISP setup:

global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1

route backup 0.0.0.0 0.0.0.0 10.250.250.1 254

sla monitor 123
 type echo protocol ipIcmpEcho 4.2.2.2 interface outside
 num-packets 3
 frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

Please refer to this doc:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Hope this helps,

Thanks,

Varun

Thanks,
Varun Rao

Elango Murugan · ‎07-18-2011

Thanks Varun , I will update you once complete the implementation.

varrao · ‎07-18-2011

Sure will wait for your update

-Varun

Thanks,
Varun Rao

Elango Murugan · ‎07-19-2011

Hi Varun,

I have two firewall i am planing to do Active,standby.Please advice.

varrao · ‎07-19-2011

Hi Elango,

What is your requirement, are you trying to configure dual ISP on a dingle firewall, or are you configuring two firewalls in active/standby failover, or are you trying to configure dual ISP on two firewall which are in active/standby failover???

Failover Doc:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Thanks,

Varun

Thanks,
Varun Rao

Elango Murugan · ‎07-20-2011

Hi Varun,

Yes i am trying to configure dual ISP on two ASA which is Activity/standby failover.

Thanks,

Elango

varrao · ‎07-20-2011

Hi Elango,

There should not be any issues with dual ISP on failover as well, just configure the two firewalls active/standby failover and then configure dual isp on the active device, it would be replicated to the secondary device.

when the active firewall goes down, the traffic would failover onto the secondary device, but the internet traffic would keep going through the Primary ISP link.

If the primary isp link goes down on active device, the firewalls would not failover, but internet traffic would start going through the secondary ISP link on active device.

Let me know if you have any confusion regarding it.

thanks,

Varun

Thanks,
Varun Rao

Elango Murugan · ‎07-22-2011

OK Thanks Varun

alagu.raja · ‎08-26-2011

Hi Varun,

I have the same situation to configure.

I have two ASA- 5510 Security + licenses

2 ISP links and one 2960-L2 switch. With this i believe i can configure the Dual ISP with Active/Standby as discussed earlier.

However i have got confusion on physical link connectivity. Also will i need to have L3 switch for connecting ISP links ir L2 is enough.

I have attached my solution . Could you please help and confirm. Also i need to know how many VLAN need to have in that switch.

Thanks

Alaguraja

varrao · ‎08-26-2011

HI Alagu,

You topology seems correct to me, no issues, for connecting the ISP links, even a L2 device would work, no problem.

On the switch you would be connecting the inside interface so they both need to be on the same vlan on the switch. I Otherwise this should work fine.

Thanks,

Varun

Thanks,
Varun Rao

alagu.raja · ‎08-29-2011

Thanks Varun. Let me implement and update with the result.

Thanks

Alaguraja.K

varrao · ‎08-29-2011

Sure, I'll wait for your update

-Varun

Thanks,
Varun Rao