Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
756
Views
0
Helpful
4
Replies

ASA 5505 with THREE wan links, no load balancing

WStoffel1
Level 1
Level 1

‎11-21-2014 06:56 AM - edited ‎03-11-2019 10:07 PM

So i've been confronted with an interesting problem.  As of right now it's a blank slate as I'm not sure how to do this.  There's a broadband Internet connection from the cable company that needs to be configured as the internet connection for the Lan, 192.168.0.0/23.  That traffic obviously needs to be natted through the Outside interface.  This would also be the default route.  So far a pretty plain vanilla setup is my point.

There's an Exchange server at 192.168.0.5 that needs to have email traffic sourced out of ISP2.  That outside interface is also the MX record for the mail server.  12.3.11.16/30 is the network, .17 being the default gateway.  .18 being my interface that needs to be natted to 192.168.0.5 allowing pop3, imap, https, smtp.

then there's an RDS (terminal server) at 192.168.0.6 that they want rdp or port 3389 to use ISP3.  This outside network is 12.5.14.56/29, 12.5.14.57 is the default gateway, .58 is my outside interface.   My terminal server clients would connect to 12.5.14.58.

Interfaces would look like this based on info so far:

interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.254.0 
!
interface Vlan2
nameif outside
security-level 0
ip address 50.7.89.4 255.255.255.248
!
interface Vlan3
nameif ISP2
security-level 0
ip address 12.3.11.18 255.255.255.252
!
interface Vlan4
nameif ISP3
security-level 0
ip address 12.5.14.58 255.255.255.248 

 

which then becomes more of a design thing if it's technically possible...do i create a dmz and put isp2 an 3 there?

the current set up is a hodge podge of equipment with this meant to consolidate...when i say blank slate i mean it, anything can be done to get this working :)

it's the third wan link thats a hang up.  any ideas?

 

Labels:
0 Helpful
4 Replies 4

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎11-22-2014 02:23 AM

Hi,

If I understand it correctly you are trying to get the traffic working through 3 ISP network on the ASA device.

I think the Static NAT on the ISP interfaces for the Inbound connections should work just fine.

The issue here would be the Outbound traffic and how to direct that to the internet for the specific ISP interfaces.

Some workaround can be made for that using the NAT statement but we have to be specific on the ASA device version.

Thanks and Regards,

Vibhor Amrodia

 

0 Helpful

WStoffel1
Level 1
Level 1
In response to Vibhor Amrodia

‎11-24-2014 07:25 AM

ciscoasa# show ver

Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)

Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 4 days 17 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

 0: Int: Internal-Data0/0    : address is 881d.fcbb.f49e, irq 11
 1: Ext: Ethernet0/0         : address is 881d.fcbb.f496, irq 255
 2: Ext: Ethernet0/1         : address is 881d.fcbb.f497, irq 255
 3: Ext: Ethernet0/2         : address is 881d.fcbb.f498, irq 255
 4: Ext: Ethernet0/3         : address is 881d.fcbb.f499, irq 255
 5: Ext: Ethernet0/4         : address is 881d.fcbb.f49a, irq 255
 6: Ext: Ethernet0/5         : address is 881d.fcbb.f49b, irq 255
 7: Ext: Ethernet0/6         : address is 881d.fcbb.f49c, irq 255
 8: Ext: Ethernet0/7         : address is 881d.fcbb.f49d, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 20, DMZ Unrestricted
Inside Hosts                   : 10
Failover                       : Active/Standby
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 25
Dual ISPs                      : Enabled
VLAN Trunk Ports               : 8
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has an ASA 5505 Security Plus license.

Serial Number: 

Configuration register is 0x1
Configuration last modified by enable_15 at 16:40:04.047 UTC Thu Nov 20 2014

 

There's the version info.  Misread your reply initially, thank you.

 

 

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to WStoffel1

‎11-26-2014 04:22 AM

Hi,

Unfortunately , on this ASA 8.2.5 code , you would only be able to route the traffic on the basis of the NAT statement on the basis of Destination service port.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

WStoffel1
Level 1
Level 1
In response to Vibhor Amrodia

‎11-26-2014 07:23 AM

Meaning updated code *would* be able to correctly route traffic?  What version?  I can get it updated.

 

:)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card