I have an asa 5520 that I'd like to be able to load balance 2 internet providers on. I've been playing around with a possible config. interface GigabitEthernet0/0 nameif outside security-level 0 ip address 184.108.40.206 255.255.255.0 ! interface GigabitEthernet0/1 nameif dmz security-level 50 ip address 192.168.0.1 255.255.255.0 ! interface GigabitEthernet0/2 nameif outside2 security-level 0 ip address 220.127.116.11 255.255.255.0 ! interface GigabitEthernet0/3 description LAN Failover Interface ! interface Management0/0 nameif inside security-level 100 ip address 192.168.6.2 255.255.255.0 ! ! global (outside) 1 interface global (dmz) 1 interface global (outside2) 2 interface global (inside) 1 interface nat (dmz) 0 access-list dmz_nat0_outbound nat (dmz) 1 192.168.0.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 192.168.0.0 255.255.0.0 nat (inside) 2 192.168.0.0 255.255.0.0 static (dmz,outside) 18.104.22.168 192.168.0.2 netmask 255.255.255.255 static (dmz,outside2) 22.214.171.124 192.168.0.2 netmask 255.255.255.255 static (dmz,inside) 126.96.36.199 192.168.0.2 netmask 255.255.255.255 ! ! ! route outside 0.0.0.0 0.0.0.0 188.8.131.52 route outside 0.0.0.0 0.0.0.0 184.108.40.206 The actual nat'ng is giving me trouble. The "global (outside2) 2 interface" command (I believe) creates another global pool on the 2nd WAN subnet but the "nat (inside) 2 192.168.0.0 255.255.0.0" command is not valid. Is there any way make the outbound traffic nat to both WAN subnets? I am also unsure how the ASA will react to having 2 default routes. Thanks
This question has been asked many times in this forum.
You are correct - the ASA does not support two default routes out diff. interfaces.
It cannot do load balancing either. ASA does not support PBR (policy based routing)
The outside router should connect to both the ISPs and load balance based on PBR.
You can translate some traffic based on ISP1 provided IP scheme and translate others based on IPS2 provided ISP scheme and have the router look at the source address and send them out the two diff. ISPs based on the source address.
We are happy to share changes to the Cisco Threat Grid support experience! Our customers have spoken, and we have listened! You want a single, streamlined, easy to access tool to open, view, and update your cases across Cisco Services. That tool is Cisco’...
Where can I find out how to integrate my Cisco products with Threat Response?
There are quick start guides and instructional videos to help you get set up with your Cisco products and the Cisco Threat Response platform.
Inviting all Security & Networking professionals! We want you to tell us what devices you use to do your work and its screen resolution. Your response will help us improve network and security management tools.
Click here to take the 5-minute s...
This guide is intended to show some nifty and powerful use cases that a lot of customers either want or don’t know they want. There are tons of other content out there for specific knobs or capabilities, but this is looking to be a more complete...