Showing results for 
Search instead for 
Did you mean: 

ASA with Load Balancer


I have ASA firewall 5525 with 3 internet links , now i am connecting ISP load balancer before firewall.

now all my ISP's links are connected --> Load balancer (L3 port) --> firewall --> Local Network.

in this scenario how site 2 site vpn will work and internal server NAT works. Please share me any sample configuration.


8 Replies 8


 Not a usually setup connect the ISP to a Loadbalancer but if this LB belongs to the ISP I dont thing you need to worry about the VPN or NAT. They should deliver the traffic to you like they were without the LB.


its not provided by ISP. How do we setup the firewall with LB.if LB is after firewall how the traffic will balance between ISP links.

It all depends why you put the LB there. What do you want to load balance?  Is not because you have a LB that you need to load balance all your traffic. You might have VIP for some kind of service right?  Will the LB be the gateway for firewall?  

  I dont believe there might be a setup for ASA considering a LB in front of it. Actually, it should not change any config you might already have on the ASA but the IP address because now you are facing an LB an not the  ISP directly.

yes i want to load balance all internet traffic from local network.

Yes LB is the gateway for firewall . all ISP facing to LB.


Which LB vendor are you using? 

F5 load balancer, do we need to create sub interface in firewall for all outside interfaces ..?

The most common scenario I´ve seen is:

Firewall <-> Load Balancer <-> Web Servers <->

The BigIP LTM have basically two interface, internal, which will face the servers and external, which will face the gateway, usually a firewall.

 Then, you create the VIPs on the LTM, the probes to montor the servers and the VIP will be to where Firewall send the traffic. BigIP LTM is capable of create a mac address to the VIP.

 Basically one static route on LTM is enough as the Firewall will be the only option. On the firewall it may depend how many interfaces do you have.

  But, this is for application load balance, entrance traffic. Usually HTTP servers or RADIUS servers or TACACS servers, etc.

 If I undertood correctly, you are going to use a LB in front of firewall, facing the internet. It is not clear to be what is your intention. If you are looking for load balancing traffic coming from the internet to your servers or if you are load balancing exit traffic between different ISPs.

 If you can provide a simple diagram could be easier to suggest something.

for load balance with anyconnect we use DNS name instead of IP, 
I think it same here with S2S VPN
use Peer hostname instead of IP

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: