Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
609
Views
0
Helpful
0
Replies

ASA with two Internet Connections

smoores
Level 1
Level 1

‎06-22-2016 05:56 AM - edited ‎03-12-2019 12:55 AM

I’m designing a solution for redundancy and there are a couple of ways to accomplish this. The age old method (without EBGP) is to put an IOS router in front of the ASA that uses NAT, PBR and IP SLA to manage two internet connections with fail-over (and once this is compete I also plan to use HSRP with an identical router standing by). There is a commercial fiber connection (with static IP net blocks) and a much faster PON (Passive Optical Network) that uses DHCP.

With the latest ASA software it also includes PBR and IP SLA (and obviously NAT) but still with more primitive capabilities than IOS. At this point my “plan” is to use the router IOS methods which will yield a new pool of RFC1918 addresses that will be very redundant (goal: a failure of one ISP link or a router should go unnoticed for the most part).

The problem is that there are inbound connections for things like AnyConnect an a few web based services (like Bomgar) which have to stay off the PON due to its changing external IP address. The only way I can see to accomplish all my goals is to use a combination of the fail-over and redundancy of both IOS and the ASA (which adds a fair bit of complexity for the next guy or gal that has to work on this), most normal Internet traffic will be directed to the faster PON with VPN and other services that require a static IP to be routed though the other link.

The Cisco TAC document (ID: 118962) Configure the ASA for Redundant or Backup ISP Links says: “As described in this document, this setup might not be suitable for inbound access to resources behind the ASA. Advanced networking skills are required in order to achieve seamless inbound connections. These skills are not covered in this document.”, personally (after working with Cisco routers since they were invented) I find that pretty unhelpful and counterproductive :) I translate that to mean “the solution we are showing you here isn’t complete and doesn’t actually completely work”.

I’d be really interested to hear from anyone that has done this sort of thing with an ASA and/or Cisco IOS router how you accomplished it. Currently I’m having trouble locating examples of how to route all AnyConnect traffic using PBR or a solution for that so any suggestions or examples much appreciated.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card