If you are planning to try 9

Tulipomwene Haukongo · ‎06-22-2016

Good day guys.

I'm new to security, so I hope what I post makes sense. I want to introduce a new firewall connecting two ISP and to a Layer 3 core switch (see attached drawing). My question is, if I'm running a point-to-point 10.10.1.0/30 network between the LAN Core Switch and the ASA, do I still have to NAT and how will the configuration be? I have serveral subnets behind the Core switch such as Wireless, LAN, CCTV, Voice etc. By this I mean I have a default route pointing to the core switch

Philip D'Ath · ‎06-22-2016

All of the IP addresses in your diagram are private - event the ones from your ISPs, which is unusual.

Are both of your ISPs realy giving you circuits with private IP addresses on them?

Are you wanting to use the circuits for just outbound active/standby failover support, or did you have something else in mind?

Tulipomwene Haukongo · ‎06-27-2016

Hi Philip,

Yes you are right, the two IPs to the ISPs will be public. We will also be setting up AnyConnect VPN

James Leinweber · ‎06-27-2016

If you are planning to try 9.6 series firmware (I'm way back on 9.4 myself) it looks to me like the new ASA "zone" functionality (completely different from router security zones) is designed to help you talk to multiple ISP's. This has been a historical pain point with ASA.

ASA Dual ISP

Loadbalancing DUAL ISP on ASA

Dual ISP implementation on ASA

Cisco ASA IPSEC VPN dual ISP

Cisco 3560 Dual ISP Failover help

Dual ISP Fail over