Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
336
Views
0
Helpful
3
Replies

ASA DUAL ISP

asheemy
Level 1
Level 1

‎06-11-2016 01:47 PM - edited ‎03-12-2019 06:09 PM

have ASA deployment with dual ISP I need to use one ISP for WSA Proxy and VPN any connect only and the second one for DMZ Servers and if one ISP GOES DOWN the second one will take place.
Please share a good design to ache achieve this deployment as best practice.

Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-11-2016 03:52 PM

You need to use PBR to do this, which needs quite new software.  Note that this only works for outbound traffic selection.  It is unlikely both ISPs will allow you to use the other ISPs IP address space on their circuit.

What this means is you could create outbound redundancy, but not inbound.  So if the link to the ISP that has given you address space for the DMZ goes down, all services in the DMZ that the Internet accesses will also go down.

What model ASA are you using, and what software version are you using?

0 Helpful

asheemy
Level 1
Level 1
In response to Philip D'Ath

‎06-11-2016 04:36 PM

many thanks Eng.Philip for your response , I have ASA 5585-x running version 9.4 which has PBR feature.

As i know the DMZ servers can have two NAT one per ISP so if the link on ISP1 goes down the servers can still have access to internet.

i think i can do the deployment with PBR feature is it right ?

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to asheemy

‎06-11-2016 09:32 PM

If you don't do NAT, you can use PBR to make the routing work.

You can probably make it work with PBR and NAT.  I have not done that combination before.  It sounds complicated.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card