Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
782
Views
0
Helpful
2
Replies

2 Separate ISPs on Outside Interfaces ASA 5510

debbie
Level 1
Level 1

‎07-01-2013 12:11 PM - edited ‎03-11-2019 07:05 PM

I have an ASA 5510 with 3 interfaces:  inside, outside_cable, dmz

The cable has been down or slow a lot recently. This isn't so bad for my internal users, but for those connecting to the office via VPN it's a bummer, so I brought a FIOS line in with 1 static IP. 

I would like to set a 4th interface (outside_fios) and use it ONLY for accepting VPN connections from AnyConnect.

I set the FIOS router (provided by Verizon) as a bridge and set the public IP address provided by Verizon on the 4th interface of my ASA.  I also set the AnyConnect profiles to use either the outside_cable OR the outside_fios interfaces. 

Needless to say, I'm missing something, which is why I'm posting, because when I try to connect using AnyConnect to the FIOS IP the connection fails.  I see nothing in the ASA log and the AnyConnect client simply sais that the connection attempt has timed out - please verify internet connectivity (which I definitely have).

I have read some articles about licensing -- base vs. security plus -- and how that may be why this isn't working, but I'm not sure if that is correct.  I have the base license, by the way.

Additionally - I have no routing set up for this interface because I'm not sure how to do it.  The only routing that's happening right now in the ASA is the default route -- routing everything out the outside_cable interface.

Any help would be GREATLY appreciated!

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎07-01-2013 12:29 PM

Hi,

I personally always handle Dual ISP routing scenarios with a Cisco router rather than the ASA.

I am not sure how the ASA handles the secondary ISP in this situation. To my understanding usually when the connections are coming from the secondary ISP the ASA should handle the connections correctly but initiating the connections from behind the ASA to the secondary ISP is usually the problem.

You might want to start trying to first configure a default route for the secondary ISP also.

You currently probably have this

route outside_cable 0.0.0.0 0.0.0.0 x.x.x.x 1

You could add

route outside_fios 0.0.0.0 0.0.0.0 x.x.x.x 254

Notice the different metric at th end. Since the original one has the metric of "1", it will stay in use. I use the value "254" simply to have a completely different value to the "1" but it could be "2" for example.

Maybe you could add this route first and try again.

If that doesnt work, I might have to test this out myself just to learn something new. But as I said, I dont have to do this in my work as we handle Dual ISP on routers and never on ASAs themselves.

- Jouni

0 Helpful

debbie
Level 1
Level 1
In response to Jouni Forss

‎07-01-2013 12:47 PM

Thanks!  I have added the 2nd default route, but it has not fixed the problem.

I also realized that I had no access rules set up for this interface, so I just added allowing ssh and https and ICMP.

I also checked to make sure the FIOS router was bridging properly by connecting my laptop to it and assigning my laptop to the public IP provided by Verizon.  That worked fine -- I was able to access the internet and ping my laptop successfully from a different network.

I am trying to ping the public IP address (which is the address of the interface on the ASA) and I'm getting request timed out.

I'm officially stuck! 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card