topic Re: Multiple ISP and ASA in Network Security

Multiple ISP and ASA

sathyahemanth — Mon, 11 Mar 2019 10:27:31 GMT

Hi,

Can any one suggest me how to configure load-balancing and failover between ASA and multiple ISPs. All ISP connections is terminated on a single router.

Thanks and regards,

SH.

Re: Multiple ISP and ASA

alvaroadp — Sat, 09 Jun 2007 12:26:42 GMT

If you find that out, let us know. Right now I am moving to Linux+iproute2

Re: Multiple ISP and ASA

Rodrigo Gurriti — Sun, 10 Jun 2007 00:20:58 GMT

Well as far as I know you can do that well on a router but on the asa/pix you can set the multiple static routes with the same metric/cost.

This will not work as well as on the router but you know hehehe its a firewall not a router 🙂

Please guys read http://www.cisco.com/en/US/products/hw/modules/ps2033/prod_technical_reference09186a00800afeb7.html

If you find it interesting please rate 🙂

Re: Multiple ISP and ASA

Thotsaphon Lueangwattanaphong — Sun, 10 Jun 2007 07:17:26 GMT

Hi SH.

You can achieve this goal on the router. Are you using multiple ISPs terminating on the same router?

IMHO: For best way you can use load-sharing mechanism with policy base routing feature on the router. Let me explain further you can give vlan/subnet 2-5 go to ISP_1 and vlan/subnet 6-10 go to ISP_2 with source-route of policy base routing feature. Now you can control out-bound traffics go to ISPs. I don't think multiple default route will be good solution for multiple ISPs because are you sure the packets of 1 session go to the same ISP at a time.

Hope this helps

L.Thot

Re: Multiple ISP and ASA

Rodrigo Gurriti — Mon, 11 Jun 2007 00:59:24 GMT

No doubt you need a router but that's why you use these command

ip load-sharing per-packet

ip load-sharing per-destination

Re: Multiple ISP and ASA

anandramapathy — Mon, 11 Jun 2007 05:52:05 GMT

The process is simple ( If there is 1 DMZ )-

The PIX / ASA can handle only 1 outside route.

Therefore this route has to be your Internet router's Ethernet Address.

On the internet router put 1 default outside route towards ISP1 ( the ISP on which the DMZ is hosted )

Then put 1 Route-map on the Ethernet Interface of the router which is on the same subnet as the PIX outside.

This routemap will define that if a particular traffic has to be sent to ISP B, match that with an ACL ( this will be the public IP of ISP B ) with the source IP of the subnet which has to be routed via ISP B.

Set the next hop as the WAN interface of ISP B

You are done.

Re: Multiple ISP and ASA

anandramapathy — Mon, 11 Jun 2007 06:00:17 GMT

Try this one too

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Re: Multiple ISP and ASA

sathyahemanth — Mon, 11 Jun 2007 11:57:14 GMT

So guys, is it advicable not to NAT at the firewall and do the NATting at the router and use the appropriate switching method on the router to route traffic.

This is what I think you are trying to suggest for this problem.

Thanks and regards,

SH.

Re: Multiple ISP and ASA

anandramapathy — Mon, 11 Jun 2007 13:52:27 GMT

Hi,

The NAT should be done on the firewall.

example -

On the firewall

192.168.1.0 NAT outside IP of ISP A (1.1.1.0 )

192.168.2.0 NAT outside IP of ISP B

(2.2.2.0)

On the internet router

put default route to WAN IP of ISP A

put policy route for packet originating with source IP 2.2.2.0 - next hop WAN IP of ISP B

Re: Multiple ISP and ASA

sathyahemanth — Tue, 12 Jun 2007 03:46:10 GMT

Hi Anand,

What about the load-balancing and the failover in this case?

T & r,

SH.

Re: Multiple ISP and ASA

anandramapathy — Tue, 12 Jun 2007 04:28:33 GMT

Loadbalancing will happen based on Subnets.

*** Loadbalancing ***

Say internal subnet A - 192.168.1.0 will be routed via Link A

( Using the Default route & NAT for Link A )

internal subnet B - 192.168.2.0 will be routed via Link B

( Using the Policy Route & NAT for Link B )

*** For Failover *** - YOu have to do the following & it is manual 😞

(Since you are not running BGP config where

both ISPs can route each other's traffic )

Summary -

Change route & Change NAT. May be a little confusing.

Details -

If Link A goes down - Change default route on the internet router to Link B

Change the NAT config for Subnet A & add the it to pool B

If Link B goes down - Remove the Policy route from the Internet router so that all traffic is diverted to the Link A

Change the NAT config for Subnet B & add the it to pool A

Let me know if you have any doubts

HTH - Please rate all useful posts