ASA with Dual ISP

parvezahmad90 · ‎06-20-2013

Hi,

In ASA firewall,

Inside --- interface gi0/0---- IP address 10.10.20.20/24(LAN)

Outside1 --- interface gi0/1 ---- IP address 100.100.100.1/25 (ISP1)

Outside2 --- interface gi0/2 --- IP address 200.200.200.1/25 (ISP2) Pool (200.200.200.1 -100)

Customer wants to use both ISP's.

1. ISP1 will be used for servers.Servers are in the subnet of 10.10.10.0/24.

i.e. servers should be reachable via ISP1 through static NAT on ASA.

2. ISP2 will be used for the users. Users are in the subnet of 10.10.20.0/24

Users are using proxy for Internet and proxy ip address is 10.10.20.10.

Please advise for below queries.

1.How I can use ISP2 pools for user traffic?

2. Default route on ASA for which ISP?

Regards,

jebose · ‎06-20-2013

Hi Parvez,

Asa being a statefull unit is not designed to do load balancing of traffic between two isp's.

however we have some workaround with which we can redirect few port based traffic using the second isp link.

please refer the folliwng link for further infromation.

https://supportforums.cisco.com/docs/DOC-15622

----------

moreover there is no documenation that would explain the above in details.

we can always do destination based routing using second isp.

Following would be configuration commands in this scenario-

nat (inside) 1 0 0

global (ISP1) 1 interface

global (ISP2) 1 interface

route ISP1 128.1.1.0 255.255.255.0 1.1.1.2

route ISP2 0.0.0.0 0.0.0.0 2.2.2.2

The first creates a route that routes addresses 128.1.1.0 255.255.255.0(Known destination) to 1.1.1.2 of ISP1.

The second creates a default route that routes unknown destinations to 2.2.2.2 of ISP2.

Note: This will do traffic routing based on destination ip address. As I mentioned, asa is not a packet-shaper.

Regards,

Jesu Kumar Bose

Engineer-Customer Support(SECURITY)

Cisco Systems Inc.

E-Mail : jebose@cisco.com

jebose · ‎06-21-2013

Hi Pervez,

With referece your email.

Could you please answer the following questions.

1. ISP1 will be used for servers. Servers are in the subnet of 10.10.10.0/24.

Q1.Are we referring to incoming connections for these servers.

2. ISP2 will be used for the users. Users are in the subnet of 10.10.20.0/24

Q2. Is it ok to include common ports only for users like 443/80/25/110

Possible configuration

•1. Users in network would be going online through ISP2 for ports 80/443/25/110. What ever ports you include in the config only they would be used for isp 2.
•2. Servers would be receiving traffic through ISP1 . NOTE- port used above cannot be used for servers.

Please let me know if that fulfills the requirement then I can provide a sample config depending on your requirement.

Regards,

Jesu Kumar Bose

Engineer-Customer Support(SECURITY)

Cisco Systems Inc.

E-Mail : jebose@cisco.com

ALIAOF_ · ‎06-20-2013

Which version of IOS are you running on that ASA? If you are running 8.3 and above you can do something like this:

ISP 1 for the servers so you can setup a NAT for the servers to ISP1's range:

network object Servers_ISP1_Pat (So this will do a dynamic NAT from the server subnet)

subnet 10.10.10.0 255.255.255.0

nat (inside,outside) dynamic interface

exit

network object WebServer (this is a static Mapping for the servers)

host 10.10.10.10

nat (inside,outside) static 100.100.100.10

exit

network object EMailServer

host 10.10.10.11

nat (inside,outside) static 100.100.100.11

---------------------------------------------------------------------------------------------

Now for the users and ISP 2

You can do something like this:

network object User_ISP2_Pat

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

OR

nat (inside,outside) dynamic 200.200.200.10 (if you want a different IP)

Certiainly you'll need to have the default routes in place as well. I was able to accomplish this pretty well with Two ASA's and L3 switches but I'm certain you can get it working this way too. You might have to tweak the settings a bit depending on your environment. Don't copy and paste the commands that I typed in there use them as a reference only please and test it out before your put it in production. Simple thing to remember don't do anything you can't undo .