https://community.cisco.com/t5/network-security/how-to-spplit-different-lan-segment-in-two-isp-service/m-p/2478845#M269402 <HTML><HEAD></HEAD><BODY><P>Hi MikhailovskyVV.</P><P>These are the versions of my device:</P><P></P><P>ASA&gt; show version</P><P></P><P>Cisco Adaptive Security Appliance Software Version 8.2(5)</P><P>Device Manager Version 6.4(5)</P><P></P><P>I can download the following images "asa913-k8.bin" and "asdm-715.bin"</P><P></P><P>ASA# dir flash:</P><P>Directory of disk0:/</P><P>100&nbsp;&nbsp;&nbsp; -rwx&nbsp; 15390720&nbsp;&nbsp;&nbsp; 11:59:42 Mar 13 2013&nbsp; asa825-k8.bin</P><P>101&nbsp;&nbsp;&nbsp; -rwx&nbsp; 16280544&nbsp;&nbsp;&nbsp; 15:11:44 Mar 13 2013&nbsp; asdm-645.bin</P><P>102&nbsp;&nbsp;&nbsp; -rwx&nbsp; 28672&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 19:00:00 Dec 31 1979&nbsp; FSCK0000.REC</P><P>3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; drwx&nbsp; 4096&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 19:03:10 Dec 31 2002&nbsp; log</P><P>10&nbsp;&nbsp;&nbsp;&nbsp; drwx&nbsp; 4096&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 19:03:22 Dec 31 2002&nbsp; crypto_archive</P><P>11&nbsp;&nbsp;&nbsp;&nbsp; drwx&nbsp; 4096&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 19:03:24 Dec 31 2002&nbsp; coredumpinfo</P><P>104&nbsp;&nbsp;&nbsp; -rwx&nbsp; 4096&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 19:00:00 Dec 31 1979&nbsp; FSCK0001.REC</P><P>105&nbsp;&nbsp;&nbsp; -rwx&nbsp; 12998641&nbsp;&nbsp;&nbsp; 15:07:10 Mar 13 2013&nbsp; csd_3.5.2008-k9.pkg</P><P>106&nbsp;&nbsp;&nbsp; drwx&nbsp; 4096&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 15:07:14 Mar 13 2013&nbsp; sdesktop</P><P>107&nbsp;&nbsp;&nbsp; -rwx&nbsp; 6487517&nbsp;&nbsp;&nbsp;&nbsp; 15:07:48 Mar 13 2013&nbsp; anyconnect-macosx-i386-2.5.2014-k9.pkg</P><P>108&nbsp;&nbsp;&nbsp; -rwx&nbsp; 6689498&nbsp;&nbsp;&nbsp;&nbsp; 15:07:56 Mar 13 2013&nbsp; anyconnect-linux-2.5.2014-k9.pkg</P><P>109&nbsp;&nbsp;&nbsp; -rwx&nbsp; 4678691&nbsp;&nbsp;&nbsp;&nbsp; 15:08:00 Mar 13 2013&nbsp; anyconnect-win-2.5.2014-k9.pkg</P><P>255320064 bytes total (192139264 bytes free)</P><P></P><P>ASA# show version</P><P>Cisco Adaptive Security Appliance Software Version 8.2(5)</P><P>Device Manager Version 6.4(5)</P><P></P><P>Compiled on Fri 20-May-11 16:00 by builders</P><P>System image file is "disk0:/asa825-k8.bin"</P><P>Config file at boot was "startup-config"</P><P></P><P>ASA up 1 day 18 hours</P><P></P><P>Hardware:&nbsp;&nbsp; ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz</P><P>Internal ATA Compact Flash, 256MB</P><P>BIOS Flash Firmware Hub @ 0xffe00000, 1024KB</P><P></P><P>Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Boot microcode&nbsp;&nbsp; : CN1000-MC-BOOT-2.00</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IPSec microcode&nbsp; : CNlite-MC-IPSECm-MAIN-2.05</P><P></P><P> 0: Ext: GigabitEthernet0/0&nbsp; : address is e4d3.f112.0e9c, irq 9</P><P> 1: Ext: GigabitEthernet0/1&nbsp; : address is e4d3.f112.0e9d, irq 9</P><P> 2: Ext: GigabitEthernet0/2&nbsp; : address is e4d3.f112.0e9e, irq 9</P><P> 3: Ext: GigabitEthernet0/3&nbsp; : address is e4d3.f112.0e9f, irq 9</P><P> 4: Ext: Management0/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : address is e4d3.f112.0ea0, irq 11</P><P> 5: Int: Not used&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : irq 11</P><P> 6: Int: Not used&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : irq 5</P><P></P><P>Licensed features for this platform:</P><P>Maximum Physical Interfaces&nbsp;&nbsp;&nbsp; : Unlimited</P><P>Maximum VLANs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 150</P><P>Inside Hosts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Unlimited</P><P>Failover&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Active/Active</P><P>VPN-DES&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Enabled</P><P>VPN-3DES-AES&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Enabled</P><P>Security Contexts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2</P><P>GTP/GPRS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Disabled</P><P>SSL VPN Peers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2</P><P>Total VPN Peers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 750</P><P>Shared License&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Disabled</P><P>AnyConnect for Mobile&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Disabled</P><P>AnyConnect for Cisco VPN Phone : Disabled</P><P>AnyConnect Essentials&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Disabled</P><P>Advanced Endpoint Assessment&nbsp;&nbsp; : Disabled</P><P>UC Phone Proxy Sessions&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2</P><P>Total UC Proxy Sessions&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2</P><P>Botnet Traffic Filter&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Disabled</P><P></P><P>This platform has an ASA 5520 VPN Plus license.</P><P></P><P>Serial Number: JMX171180JB</P><P>Running Activation Key: 0xe638dc68 0xf4a83e3e 0xcc129924 0xb180fcc0 0x0b190e9d</P><P>Configuration register is 0x1</P><P>Configuration last modified by enable_15 at 05:57:50.617 PEST Wed Feb 19 2014</P><P>ASA#</P><P></P><P>Can I upgrade directly from 8.2(5) to 9.1 (I know that actual configuration will be lost and also I know that the syntax configuration is different between the versions, but this is not a problem for me, because I can re-configure it very fast).</P><P>My doubt is if exist any other license that will be afected during the upgrade. As you can see exist any other files in the flash memory and some features related to the license appear in the command "show version" and at the final line appear a message "This platform has an ASA 5520 VPN Plus license". My doubt is "after the upgrade (from 8.2 to IOS 9.1) these features will be change, any license will be afected????.</P><P></P><P>The object final is the following:</P><P>I have in this moment three LAN's segment (for example lan1, lan2 and lan3) and two WAN's (isp1 and isp2)</P><P>lan1 and lan2 leave for isp1 and exits VPN (site to site) connection between lan1 with different site. It in this moment is operation with any problem.</P><P>The problem is the third lan3 because this must be use the second isp2, also this lan3 will be open a VPN with another site. This requirement I can not do it with 8.2 IOS Version. This requirement is like a PBR in router.</P><P>The version 9.1 can handle this feature (PBR)</P><P id="gt-src-tools"></P><DIV id="gt-src-tools-l"><DIV id="gt-input-tool" style="display: inline-block;"><DIV id="itamenu"><P> Please let me know </P><P></P><P>Regards</P><P>Andres</P></DIV></DIV></DIV></BODY></HTML> Thu, 20 Feb 2014 10:53:34 GMT a.guillen 2014-02-20T10:53:34Z https://community.cisco.com/t5/network-security/how-to-spplit-different-lan-segment-in-two-isp-service/m-p/2478842#M269399 <P>Hi Forum</P><P>I have a doubt how to implement a new scenario</P><P>My customer have a 5520 (with four Interfaces) firewall with the following version: </P><P>ASA Version 8.2(5) and his configuration is</P><P></P><P>interface GigabitEthernet0/1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P> nameif lan1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P> security-level 50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P> ip address 192.168.1.1 255.255.255.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>interface GigabitEthernet0/2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P> nameif lan2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P> security-level 100&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P> ip address 192.168.2.1 255.255.255.0</P><P>!</P><P>interface GigabitEthernet0/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P> description ISP1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P> nameif outside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P> security-level 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P> ip address a.b.c.252 255.255.255.248&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>same-security-traffic permit inter-interface&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>same-security-traffic permit intra-interface&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>!</P><P>access-list Public_access_in extended permit icmp any any&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>access-list ACL-RED-VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.112.0 255. </P><P>access-list ACL-INSIDE-NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.112.0 </P><P>!</P><P>icmp permit any outside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>icmp permit any inside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>!</P><P>global (outside) 1 interface&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>nat (inside) 0 access-list ACL-INSIDE-NONAT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>nat (lan1) 1 192.168.1.0 255.255.255.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>nat (lan2) 1 192.168.2.0 255.255.255.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>!</P><P>static (lan2,outside) tcp a.b.c.253 8080 192.168.2.11 8080 netmask 255.255.255.255 </P><P>static (lan2,outside) tcp a.b.c.253 8081 192.168.2.13 8081 netmask 255.255.255.255 </P><P>!</P><P>access-group Public_access_in in interface outside</P><P>!</P><P>route outside 0.0.0.0 0.0.0.0 a.b.c.249 1</P><P>!</P><P>crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac</P><P>!</P><P>! The rest is omited</P><P>So, the LAN's segment (192.168.1.0/24 and 192.168.2.0/24) leave to Internet by outside Interface and also I have set a VPN between our side and the remote LAN site (192.168.112.0/24)</P><P></P><P>Now, my customer want to add a new LAN Segment (for example 192.168.3.0/24) and has recently purchased a new service of ISP.</P><P>He want that this New LAN segment leave by the new ISP Provider and possible a new VPN between this new segment to another side will be appear.</P><P></P><P>In resumen:</P><P>The old configuration is not going to change.</P><P></P><P></P><P>For the new service LAN 192.168.3.0/24 must be go to internet using the seconf ISP service&nbsp; z.y.x.194 255.255.255.248.</P><P>What change I must be do in the interface G0/3 </P><P></P><P>I suppose that I must be create subinterface in the interface G0/3, like this.</P><P></P><P></P><P>!&nbsp;&nbsp; line 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>interface GigabitEthernet0/3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P> no nameif </P><P> no security-level 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P> no ip address</P><P> no shutdown</P><P>!&nbsp; line 2</P><P>interface GigabitEthernet0/3.100</P><P> vlan 100</P><P> nameif lan3</P><P> security-level 50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P> ip address 192.168.3.1 255.255.255.0</P><P>!&nbsp; line 3</P><P>interface GigabitEthernet0/3.200</P><P> vlan 200</P><P> nameif outside2</P><P> security-level 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P> ip address x.y.z.194 255.255.255.248</P><P>! line 4</P><P>route outside2 0.0.0.0 0.0.0.0 x.y.z.193 250</P><P>! line 5</P><P>global (outside2) 2 interface&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>nat (tikary) 2 192.168.3.0 255.255.255.0</P><P> ! line 6</P><P>access-group Public_access_in in interface outside2</P><P></P><P>Also from the segment 192.168.2.x/24&nbsp; must to access to other LAN Segment (192.168.1.0/24 and 192.168.3.0/24)</P><P></P><P>Please correct me, or you have any other reference to observe like a reference. </P><P>Regards</P><P>ARGB</P> Tue, 12 Mar 2019 03:46:55 GMT https://community.cisco.com/t5/network-security/how-to-spplit-different-lan-segment-in-two-isp-service/m-p/2478842#M269399 a.guillen 2019-03-12T03:46:55Z https://community.cisco.com/t5/network-security/how-to-spplit-different-lan-segment-in-two-isp-service/m-p/2478843#M269400 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">Now, my customer want to add a new LAN Segment (for example 192.168.3.0/24) and has recently purchased a new service of ISP.&nbsp; He&nbsp; want that this New LAN segment leave by the new ISP Provider and&nbsp; possible a new VPN between this new segment to another side will be&nbsp; appear.</PRE><P> If I am understanding correctly, your company has now accuired a new ISP connection and you want this new subnet to use that new connection for internet and VPN?&nbsp; This is partially not possible.&nbsp; You wil NOT be able to use this connection as an active link to the internet.&nbsp; </P><P></P><P>the ASA only supports one active default gateway at any given time.&nbsp; If you want to use the second ISP connection actively, you need to either put a router or another firewall into the mix.</P><P></P><P>As for the VPN link&nbsp; You can set up a seperate site to site VPN that specifies the 192.168.3.0/24 subnet as the source and the remote site as the destination.&nbsp; So long as the remote site has a seperate tunnel group for its connection this should work.</P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Tue, 18 Feb 2014 13:34:49 GMT https://community.cisco.com/t5/network-security/how-to-spplit-different-lan-segment-in-two-isp-service/m-p/2478843#M269400 Marius Gunnerud 2014-02-18T13:34:49Z https://community.cisco.com/t5/network-security/how-to-spplit-different-lan-segment-in-two-isp-service/m-p/2478844#M269401 <HTML><HEAD></HEAD><BODY><P>Hello.</P><P></P><P>It's possible to run ASA in multiple context mode, having different default gateways and set of VPNs.</P><P>But you need to update your firware to version 9.x</P><P></P><P>If you choose to stay with 8.2(5), then, I would agree with Marius, you need additional router to do the job.</P></BODY></HTML> Tue, 18 Feb 2014 18:13:10 GMT https://community.cisco.com/t5/network-security/how-to-spplit-different-lan-segment-in-two-isp-service/m-p/2478844#M269401 Vasilii Mikhailovskii 2014-02-18T18:13:10Z https://community.cisco.com/t5/network-security/how-to-spplit-different-lan-segment-in-two-isp-service/m-p/2478845#M269402 <HTML><HEAD></HEAD><BODY><P>Hi MikhailovskyVV.</P><P>These are the versions of my device:</P><P></P><P>ASA&gt; show version</P><P></P><P>Cisco Adaptive Security Appliance Software Version 8.2(5)</P><P>Device Manager Version 6.4(5)</P><P></P><P>I can download the following images "asa913-k8.bin" and "asdm-715.bin"</P><P></P><P>ASA# dir flash:</P><P>Directory of disk0:/</P><P>100&nbsp;&nbsp;&nbsp; -rwx&nbsp; 15390720&nbsp;&nbsp;&nbsp; 11:59:42 Mar 13 2013&nbsp; asa825-k8.bin</P><P>101&nbsp;&nbsp;&nbsp; -rwx&nbsp; 16280544&nbsp;&nbsp;&nbsp; 15:11:44 Mar 13 2013&nbsp; asdm-645.bin</P><P>102&nbsp;&nbsp;&nbsp; -rwx&nbsp; 28672&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 19:00:00 Dec 31 1979&nbsp; FSCK0000.REC</P><P>3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; drwx&nbsp; 4096&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 19:03:10 Dec 31 2002&nbsp; log</P><P>10&nbsp;&nbsp;&nbsp;&nbsp; drwx&nbsp; 4096&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 19:03:22 Dec 31 2002&nbsp; crypto_archive</P><P>11&nbsp;&nbsp;&nbsp;&nbsp; drwx&nbsp; 4096&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 19:03:24 Dec 31 2002&nbsp; coredumpinfo</P><P>104&nbsp;&nbsp;&nbsp; -rwx&nbsp; 4096&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 19:00:00 Dec 31 1979&nbsp; FSCK0001.REC</P><P>105&nbsp;&nbsp;&nbsp; -rwx&nbsp; 12998641&nbsp;&nbsp;&nbsp; 15:07:10 Mar 13 2013&nbsp; csd_3.5.2008-k9.pkg</P><P>106&nbsp;&nbsp;&nbsp; drwx&nbsp; 4096&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 15:07:14 Mar 13 2013&nbsp; sdesktop</P><P>107&nbsp;&nbsp;&nbsp; -rwx&nbsp; 6487517&nbsp;&nbsp;&nbsp;&nbsp; 15:07:48 Mar 13 2013&nbsp; anyconnect-macosx-i386-2.5.2014-k9.pkg</P><P>108&nbsp;&nbsp;&nbsp; -rwx&nbsp; 6689498&nbsp;&nbsp;&nbsp;&nbsp; 15:07:56 Mar 13 2013&nbsp; anyconnect-linux-2.5.2014-k9.pkg</P><P>109&nbsp;&nbsp;&nbsp; -rwx&nbsp; 4678691&nbsp;&nbsp;&nbsp;&nbsp; 15:08:00 Mar 13 2013&nbsp; anyconnect-win-2.5.2014-k9.pkg</P><P>255320064 bytes total (192139264 bytes free)</P><P></P><P>ASA# show version</P><P>Cisco Adaptive Security Appliance Software Version 8.2(5)</P><P>Device Manager Version 6.4(5)</P><P></P><P>Compiled on Fri 20-May-11 16:00 by builders</P><P>System image file is "disk0:/asa825-k8.bin"</P><P>Config file at boot was "startup-config"</P><P></P><P>ASA up 1 day 18 hours</P><P></P><P>Hardware:&nbsp;&nbsp; ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz</P><P>Internal ATA Compact Flash, 256MB</P><P>BIOS Flash Firmware Hub @ 0xffe00000, 1024KB</P><P></P><P>Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Boot microcode&nbsp;&nbsp; : CN1000-MC-BOOT-2.00</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IPSec microcode&nbsp; : CNlite-MC-IPSECm-MAIN-2.05</P><P></P><P> 0: Ext: GigabitEthernet0/0&nbsp; : address is e4d3.f112.0e9c, irq 9</P><P> 1: Ext: GigabitEthernet0/1&nbsp; : address is e4d3.f112.0e9d, irq 9</P><P> 2: Ext: GigabitEthernet0/2&nbsp; : address is e4d3.f112.0e9e, irq 9</P><P> 3: Ext: GigabitEthernet0/3&nbsp; : address is e4d3.f112.0e9f, irq 9</P><P> 4: Ext: Management0/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : address is e4d3.f112.0ea0, irq 11</P><P> 5: Int: Not used&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : irq 11</P><P> 6: Int: Not used&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : irq 5</P><P></P><P>Licensed features for this platform:</P><P>Maximum Physical Interfaces&nbsp;&nbsp;&nbsp; : Unlimited</P><P>Maximum VLANs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 150</P><P>Inside Hosts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Unlimited</P><P>Failover&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Active/Active</P><P>VPN-DES&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Enabled</P><P>VPN-3DES-AES&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Enabled</P><P>Security Contexts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2</P><P>GTP/GPRS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Disabled</P><P>SSL VPN Peers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2</P><P>Total VPN Peers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 750</P><P>Shared License&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Disabled</P><P>AnyConnect for Mobile&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Disabled</P><P>AnyConnect for Cisco VPN Phone : Disabled</P><P>AnyConnect Essentials&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Disabled</P><P>Advanced Endpoint Assessment&nbsp;&nbsp; : Disabled</P><P>UC Phone Proxy Sessions&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2</P><P>Total UC Proxy Sessions&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2</P><P>Botnet Traffic Filter&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Disabled</P><P></P><P>This platform has an ASA 5520 VPN Plus license.</P><P></P><P>Serial Number: JMX171180JB</P><P>Running Activation Key: 0xe638dc68 0xf4a83e3e 0xcc129924 0xb180fcc0 0x0b190e9d</P><P>Configuration register is 0x1</P><P>Configuration last modified by enable_15 at 05:57:50.617 PEST Wed Feb 19 2014</P><P>ASA#</P><P></P><P>Can I upgrade directly from 8.2(5) to 9.1 (I know that actual configuration will be lost and also I know that the syntax configuration is different between the versions, but this is not a problem for me, because I can re-configure it very fast).</P><P>My doubt is if exist any other license that will be afected during the upgrade. As you can see exist any other files in the flash memory and some features related to the license appear in the command "show version" and at the final line appear a message "This platform has an ASA 5520 VPN Plus license". My doubt is "after the upgrade (from 8.2 to IOS 9.1) these features will be change, any license will be afected????.</P><P></P><P>The object final is the following:</P><P>I have in this moment three LAN's segment (for example lan1, lan2 and lan3) and two WAN's (isp1 and isp2)</P><P>lan1 and lan2 leave for isp1 and exits VPN (site to site) connection between lan1 with different site. It in this moment is operation with any problem.</P><P>The problem is the third lan3 because this must be use the second isp2, also this lan3 will be open a VPN with another site. This requirement I can not do it with 8.2 IOS Version. This requirement is like a PBR in router.</P><P>The version 9.1 can handle this feature (PBR)</P><P id="gt-src-tools"></P><DIV id="gt-src-tools-l"><DIV id="gt-input-tool" style="display: inline-block;"><DIV id="itamenu"><P> Please let me know </P><P></P><P>Regards</P><P>Andres</P></DIV></DIV></DIV></BODY></HTML> Thu, 20 Feb 2014 10:53:34 GMT https://community.cisco.com/t5/network-security/how-to-spplit-different-lan-segment-in-two-isp-service/m-p/2478845#M269402 a.guillen 2014-02-20T10:53:34Z https://community.cisco.com/t5/network-security/how-to-spplit-different-lan-segment-in-two-isp-service/m-p/2478846#M269403 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>Can I upgrade directly from 8.2(5) to 9.1 (I know that actual&nbsp; configuration will be lost and also I know that the syntax configuration&nbsp; is different between the versions, but this is not a problem for me,&nbsp; because I can re-configure it very fast).</P></PRE><P>You can not upgrade directly from 8.2(5) to 9.1.&nbsp; You will need to first upgrade to 8.4(6) and from there you can upgrade to 9.1. Keep in mind that there are memory requirements when upgrading to 8.3 and higher.&nbsp; The minimum memory requirement for the 5520 when upgrading to 8.3 or higher is 2GB.</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">My doubt is if exist any other license that will be afected during the upgrade</PRE><P>You should not have any issues with your licenses when upgrading.&nbsp; But as when doing any major change you should make sure you have a backup of your licenses and configuration.&nbsp; If you have lost this or forget to take a backup contact Cisco licensing for further help<STRONG style="text-decoration: underline; "><SPAN> </SPAN><A class="jive-link-email-small" href="mailto:licensing@cisco.com">licensing@cisco.com</A></STRONG> </P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">The problem is the third lan3 because this must be use the second isp2, also this lan3 will be open a VPN with another site</PRE><P>In this case you must use active/active failover setup.&nbsp; you can configure this when using 8.2(5) and there is no need to upgrade to 9.1...yet.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_active.html">http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_active.html</A></P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">The version 9.1 can handle this feature (PBR)</PRE><P>No ASA can do PBR.&nbsp; The ASA is a firewall not a router. If you want to do PBR then you need to insert a router into your network.&nbsp; You can manipulate traffic to an extent by using static routing and NAT but anything past that you will not be able to.</P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Thu, 20 Feb 2014 11:17:00 GMT https://community.cisco.com/t5/network-security/how-to-spplit-different-lan-segment-in-two-isp-service/m-p/2478846#M269403 Marius Gunnerud 2014-02-20T11:17:00Z