ASA with 2 Internet Connections

preston · ‎07-10-2006

I have 2 t1's from 2 different providers connecting 2 different 1700 series routers.

I can't really do BGP here, but what would be the best way to connect the secondary internet connection up to an ASA.

If I could have one connection for VPN and one for Internet I would be happy with that. Can I have 2 default routes out of the ASA, or 2 outside interfaces?

Any whitepapers?

Thanks in advance

Fernando_Meza · ‎07-10-2006

Hi .. you could connect the routers to 2 interfaces on the ASA with the same security level (0 ) in this case.

You could configure the router's internal interfaces and the ASA's outside with a private range i.e 192.168.1.0/24. you could create a static NAT on one of your routers ( Public IP <-> Outside interface 1 of ASA) this can be used for VPN access. The ASA neeeds to have static routes for the VPN networks pointing to to link 1 and a default route pointing to the Internet link 2.

NOTE: if you are able to use BGP on your 1721 then it would make life so much easier as you can configure OSPF bewteem then and the ASA and inject deafult routes with different metrics.

I hope it helps ... please rate it if it does !!!

nitishh · ‎07-11-2006

if you dont have too many site to site vpn than you could configure the asa with static routes to go through one of your router for all the vpn sites and default routes for the second connection . Are those 17oo routers yours or your service providers .

nh

preston · ‎07-11-2006

I was going to use two 1700's for the internet and two outside interfaces on the asa. Although it looks like I am going to have to use 1 1700 with 2 ts.

Then use policy routing.

I hate nating before the fw though, anyother ideas?