cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
960
Views
0
Helpful
4
Replies

Is ASA with multi-homed ISP a professional solution?

brettp
Level 1
Level 1

Hello, I've been tasked with cleaning up the mess of two ISPs coming into our building. We host websites on one, all other internet traffic on the other. When one ISP goes down, I have to manually make routing changes, NAT/ACL changes, DNS changes, VPN changes, etc. It's a big fiasco. To simply this, I was going to go the whole multi-homed internet with BGP route, but that in itself seems to be a fiasco due to the fact it's very difficult obtaining an IP block these days, the cost would be a bit high because I'd need new routers and ASAs. Then I don't know if our ISP would even accept our routes because the block we need is /26. And alternate solution, albeit not 100% foolproof, is to get two beefy ASAs in an HA active/standby pair, set up some IP SLA route tracking and PBR, to achieve an easier failover. Yes, there would be a blip in network, unlike the BGP solution, and that's acceptable. They are just looking for something easier. Is that a professional solution? I know Cisco has some articles about setting it up and everything, but each ISP is a 1 gig fiber link... not just some broadband back up link. The links are never saturated, so I'm thinking an ASA 5555-X would be a good model. I just don't want to order everything, set it all up, and have performance severely degraded because I overlooked something. Any insight is appreciated... Thanks!

4 Replies 4

Alex Pfeil
Level 7
Level 7
You could check with your current ISP regarding the BGP solution, they may allow you to use their IP address space. There is a process in ARIN called SWIP.

Thank you for the suggestion. It’s something we looked into, but then we’re going to have to get two ISPs to play nice… which isn’t always possible. Also, if we change ISPs it can turn into a fiasco.

Hello

To name  a few - you’ll need to take into account obviously your wan throughput regards your concurrent connections you envisage -  vpn encryption- firewall inspection etc..

If you thinking on accepting a full internet bgp table or not 

 

It seems what your proposing is indeed feasible but without knowing your topology it’s hard to tell but the 5555x looks like it does have a quite a high spec to accommodate your needs 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thank you for your inisight. I don’t believe throughput will be an issue. I was just wondering if the idea is a legitimate way of setting something up like this for a business. Was kind of hoping someone else may have done something similar!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: