https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633796#M581069 <HTML><HEAD></HEAD><BODY><P>Stumbled upon this. Would this work?</P><P>https://supportforums.cisco.com/docs/DOC-6069</P><P></P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Tue, 01 Mar 2011 23:56:06 GMT craig-mitchell 2011-03-01T23:56:06Z https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633786#M581056 <P>Could someone point me in the right direction and maybe provide a config example of how to setup an ASA with two Internet connections? We want to have the ability to send certain traffic over one connection (example http) and everything else over another. Is there a way to do this, and if so, an example config would be greatly appreciated. Thanks. </P><P></P><P>Sent from Cisco Technical Support iPhone App</P> Mon, 11 Mar 2019 19:57:13 GMT https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633786#M581056 craig-mitchell 2019-03-11T19:57:13Z https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633787#M581058 <HTML><HEAD></HEAD><BODY><P>Hello Craig</P><P></P><P>I'm sorry to inform you that this cannot be done on the ASA (at least in any straight forward way).</P><P></P><P>The ASA software does not support Policy-based Routing which is required to complete your requirement. However you can always configure multiple ISPs in an active-passive fashion; as described at the following link:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml</A></P><P></P><P>As a work-around in some scenarios you can run the ASA box in multiple context mode to achive similar requirements but that is not recommended due to various reasons (complexity, some features like dynamic routing/VPNs not working in virtual fw mode etc.)</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Sat, 26 Feb 2011 09:04:39 GMT https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633787#M581058 Farrukh Haroon 2011-02-26T09:04:39Z https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633788#M581060 <HTML><HEAD></HEAD><BODY><P>Couldn't you use policy based NAT to NAT certain traffic out out a different interface?</P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Sat, 26 Feb 2011 13:00:39 GMT https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633788#M581060 craig-mitchell 2011-02-26T13:00:39Z https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633789#M581062 <HTML><HEAD></HEAD><BODY><P>You can use policy-based NAT (it can also be on the same output interface depending on the exact requirement); but there will be no link reliability in this case. What happens when one link fails?</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Sat, 26 Feb 2011 15:58:31 GMT https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633789#M581062 Farrukh Haroon 2011-02-26T15:58:31Z https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633790#M581063 <HTML><HEAD></HEAD><BODY><P>Reading the original request, It doesn't sound like failover or redundancy are important criteria in the scenario presented.</P></BODY></HTML> Sat, 26 Feb 2011 21:24:47 GMT https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633790#M581063 parr 2011-02-26T21:24:47Z https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633791#M581064 <HTML><HEAD></HEAD><BODY><P>Yes, not concerned with failover/redundancy at this point. Can you tell me how I would configure the two static routes for each ISP? Thanks so much for your help. </P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Sun, 27 Feb 2011 13:28:05 GMT https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633791#M581064 craig-mitchell 2011-02-27T13:28:05Z https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633792#M581065 <HTML><HEAD></HEAD><BODY><P>Hello Craig</P><P></P><P>This is why i mentioned in my initial post that you won't be able to meet your requirement because PBR is not supported on the ASA: the problem is that one can only configure default routes pointing out one interface on the ASA firewall (and not more); as mentioned in the config guide:</P><P></P><P>"<SPAN class="content"> When defining more than one default route, you must specify the same interface for each entry."</SPAN></P><P></P><P><SPAN>Source: </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/route_static.html#wp1128007">http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/route_static.html#wp1128007</A></P><P></P><P>And as you know a default route is essential to route internet traffic. If you have any proxy server or router in the transit path; you can fulfull your requirement using those devices.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Sun, 27 Feb 2011 13:38:21 GMT https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633792#M581065 Farrukh Haroon 2011-02-27T13:38:21Z https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633793#M581066 <HTML><HEAD></HEAD><BODY><P>So what if I setup another default route with a higher metric and policy NATed the traffic I wanted out that new interface? Would that work? Thanks again!</P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Sun, 27 Feb 2011 17:29:03 GMT https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633793#M581066 craig-mitchell 2011-02-27T17:29:03Z https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633794#M581067 <HTML><HEAD></HEAD><BODY><P>I'm sorry to tell you that will also not work, please see the next paragraph on the same link:</P><P></P><P class="pB1_Body1">"If you attempt to define more than three equal cost default routes <STRONG>or a&nbsp; default route with a different interface than a previously defined&nbsp; default route, you receive the following message: </STRONG></P><P><STRONG><A name="wp1123744"></A></STRONG></P><DIV class="pEx1_Example1"><PRE><STRONG>"ERROR: Cannot add route entry, possible conflict with existing routes." </STRONG><BR />"<BR /><BR />Regards<BR /><BR />Farrukh</PRE></DIV><DIV class="pPreformatted"><PRE class="pPreformatted"><A name="wp1150944"></A></PRE></DIV></BODY></HTML> Sun, 27 Feb 2011 19:26:47 GMT https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633794#M581067 Farrukh Haroon 2011-02-27T19:26:47Z https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633795#M581068 <HTML><HEAD></HEAD><BODY><P>But it is allowed if I setup route tracking via icmp?</P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Sun, 27 Feb 2011 19:50:45 GMT https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633795#M581068 craig-mitchell 2011-02-27T19:50:45Z https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633796#M581069 <HTML><HEAD></HEAD><BODY><P>Stumbled upon this. Would this work?</P><P>https://supportforums.cisco.com/docs/DOC-6069</P><P></P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Tue, 01 Mar 2011 23:56:06 GMT https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633796#M581069 craig-mitchell 2011-03-01T23:56:06Z https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633797#M581070 <HTML><HEAD></HEAD><BODY><P>I'm sorry for the late reply; that solution is definitely worth a try; even tough the solution is a little crude <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Sat, 05 Mar 2011 08:15:04 GMT https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633797#M581070 Farrukh Haroon 2011-03-05T08:15:04Z https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633798#M581071 <HTML><HEAD></HEAD><BODY><P>When I made this change for port 80 traffic, I could see that it worked. However , it seemed to break internal web traffic between clients and an internal web server (both on the inside network not traversing the firewall). Could this be a proxy arp issue or an icmp redirect issue. The clients default gateway is a cisco router and this router's default gateway is the inside of the asa. The clients, internal web server, core router, and Asa inside interface are all on the same subnet. </P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Tue, 08 Mar 2011 17:01:47 GMT https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633798#M581071 craig-mitchell 2011-03-08T17:01:47Z https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633799#M581072 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P>I doubt this is a proxy ARP issue as it is only supposed to kick in if you are trying to reach an IP address on another subnet and the router replies with his own MAC; it should not occur for traffic on the same subnet. Of course this could be due to mis-configured subnet mask(s) on one or more devices in the concerned network.</P><P></P><P>This can be easily verified by inspecting the ARP table of both client and server (web); e.g. on windows 'arp -a' will show this.</P><P></P><P>Regards</P><P><BR />Farrukh</P></BODY></HTML> Tue, 08 Mar 2011 18:42:54 GMT https://community.cisco.com/t5/network-security/asa-5510-with-two-isps/m-p/1633799#M581072 Farrukh Haroon 2011-03-08T18:42:54Z