ASA 5516 - Multiple Outside Interfaces

jmckechnie · ‎12-01-2016

Hi,

I have an ASA 5516 cluster running a managed pair of resilient internet lines.

Main Cluster

1 -ISP - 2800 - ASA1 (active) - LAN

2 -ISP - 2800 - ASA2 (passive) - LAN

I have also have an ASA 5505 which is connected to a separate internet line.

APN Line

ISP - Juniper- ASA 5505 - LAN

Its purpose is to run a l2l VPN to our Mobile provider that forms part of a private APN. Mobile Devices are assigned a 172.16.x.x/24 address and connect in to access internal web services. SharePoint etc.

Mobile device browsers are also configured to use our Webfilter, an internal server which routes out to the internet via the main cluster.

I want to replace the 5505 and was considering buying a 5516. My question is could I connect this line to the existing 5516 cluster instead and terminate there? Effectively saving myself buying a 5516.

thanks

John

Oliver Kaiser · ‎12-01-2016

No need to deploy an additional firewall.

Just add another (logical) interface on your ASA and add a route to your 172.16.x.x/24 network with juniper ip address as next-hop.

Let me know if you have any questions

nspasov · ‎12-01-2016

Hello John-

If you are doing peering with the ISPs and are receiving default routes from both of them, then you should consider Interface Traffic Zones. Take a look at the link below that will take you to another thread that discusses this feature:

https://supportforums.cisco.com/discussion/12401251/asa-93-traffic-zones

I hope this helps!

Thank you for rating helpful posts!