Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
857
Views
0
Helpful
3
Replies

ASA with dual ISP

skmdimran
Level 1
Level 1

‎03-13-2011 10:38 PM - edited ‎03-11-2019 01:06 PM

Dear Concern,

I have Cisco ASA 5520 . I want to deploy this in the following scenario.

  1. Two      ISP( for internet) links are connect      in the ASA.
  2. Three      zone ( Outside , DMZ , Inside) specified on the ASA.
  3. In DMZ      , there are two proxy server ( proxy 1 , proxy 2) .
  4. Branch      user will use proxy server 1  and      Head office will use proxy 2.

In the above scenario management requirements are

  1. Proxy      1 will use ISP 1 and proxy 2 will use ISP 2.
  2. If ISP      1 goes down then proxy 1 will use ISP 2 for internet. And vice versa.

Please suggest me how I will configure the ASA in the above requirements or if possible send me the configuration. Please find the attachment for diagram details.

Regards,

Imran

Labels:
Preview file
17 KB
0 Helpful
3 Replies 3

PAUL GILBERT ARIAS
Level 5
Level 5

‎03-14-2011 07:11 AM

Just to let you. ASA can't have two active ISP connections at the time. You can have one active and the other as a backup using the IP SLA configuration. This is because you can't have two default gateways working at the same time for different interfaces.

I hope this helps.

0 Helpful

tj.mitchell
Level 4
Level 4

‎03-14-2011 10:10 AM

This is not possible. He is correct the ASA will not support equal-cost load-balancing out the same interface.

One option that is probably out of the question would be multi-context the firewall. You could then specify FW1 with ISP1 as the primary and FW2 with ISP2 as the primary and use SLA for failover to the other ISP on each firewall.

You should be able to get that to work with some testing and such...

Other option would be to use the static routes with SLA and have ISP1 be the primary and ISP2 as the standby/ready firewall.

0 Helpful

skmdimran
Level 1
Level 1
In response to tj.mitchell

‎03-15-2011 10:16 PM

Thanks a lot for replying on my issue.

Actually VPN is configured on the ASA so multi-context  not possible.

If I change the design and place a router outside of the ASA then will it fulfill the requirements? Please find the attachment for diagram.

Please note that  there is ip address of ISP 1 mapping with mail server and also VPN.

if we user IP address of ISP 1 , in between ASA and router then how it go through ISP 2.

Please suggest me , what should be the design ?

Preview file
20 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card