Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4061
Views
0
Helpful
7
Replies

Can the ASA 5505 support two external links with traffic being routed to both links at the same time?

Go to solution
camilorgct
Level 1
Level 1

‎10-04-2012 09:33 AM - edited ‎03-11-2019 05:04 PM

Hello all,

Do you know if the ASA 5505 will allow the addition of a 2nd external link to its configuration?

I know the device is capable of Redundant or Backup ISP Links, but that’s not what I need. I will have two different links for two different purposes.

Currently we are using the ASA 5505 just for Internet access, so only the ISP link is connected, very basic configuration.

We are planning a connection to a client’s global (MPLS) network and we need to be protected against any traffic coming from that network, ergo we need to use a firewall for connection to that external link.

Now with the final configuration the Internet traffic must keep being routed to the ISP link, and some other traffic must be routed to the new external link.

Question: Can the ASA 5505 be configured for this scenario?

If the answer is no, I’m guessing the solution is the ASA 5510, correct?

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-04-2012 09:44 AM

Hello Camilo,

You can have 2 different outside interfaces up and running  as long as they are routing to different destinations so as an example

The outside interface routing to 0.0.0.0 0.0.0.0

The MPLS interface routing to several defined subnets 192.168.12.0/24 , 192.168.13.0/24,etc.

So if that is the case it will work with no problem. No if you do not know the destination on both sides and you want to use ( 0.0.0.0 0.0.0.0) it will not work on any ASA device so far as they do not support PBR or Load balancing.

Any other question..Sure.. Just remember to rate all of my answers.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-04-2012 09:44 AM

Hello Camilo,

You can have 2 different outside interfaces up and running  as long as they are routing to different destinations so as an example

The outside interface routing to 0.0.0.0 0.0.0.0

The MPLS interface routing to several defined subnets 192.168.12.0/24 , 192.168.13.0/24,etc.

So if that is the case it will work with no problem. No if you do not know the destination on both sides and you want to use ( 0.0.0.0 0.0.0.0) it will not work on any ASA device so far as they do not support PBR or Load balancing.

Any other question..Sure.. Just remember to rate all of my answers.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
camilorgct
Level 1
Level 1
In response to Julio Carvajal

‎10-04-2012 09:50 AM

Hi Julio,

Could you please point me to an article/discussion where I can find the configuration for this scenario?

0 Helpful

Go to solution
lcambron
Level 3
Level 3

‎10-04-2012 09:49 AM

Hello Camilo,

The issue with the firewall is that it can have only one default route on its routing table at the time.

So you can use two external links but have only of default route, the second one can be active but you will need static routes.

Meaning if you know the destination network on the second link, then you can add a route and have both links active passing traffic, the issue comes when you don't know the destination network, for example if you want to use both links for internet access, this won't work.

One more thing, same applies for 5505, 5510, etc..

Let me know if you have question.

Regards,

Felipe.

0 Helpful

Go to solution
camilorgct
Level 1
Level 1

‎10-04-2012 10:00 AM

Can anybody please point me to an article/discussion where I can find the configuration for this scenario?

or where at least they have discussed this kind of configuration?

Thanks.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to camilorgct

‎10-04-2012 10:34 AM

Hello Camilo,

It's a simple scenario.

If you already now how to configure an interface of the ASA you will be able to do this.

You will create 2 different interface, regular stuff.

Then create the right NAT rules if need it for both interfaces.

Finally configure the routing as I did on my first reply

route outside 0 0 x.x.x.x

route MPLS 192.168.12.3 255.255.255.0 y.y.y.y

Any other question..Sure.. Just remember to rate all of my answers.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
camilorgct
Level 1
Level 1

‎10-05-2012 07:50 AM

Do I need a Security Plus license for this configuration?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to camilorgct

‎10-05-2012 08:01 AM

Hello Camilo,

As you know with a base license you will only support 2 vlan interfaces and semi-support a third one.

So for full connectivity, full access as your network deserves YES. you need it.

Remember to rate the answers of the forum.that does not hurt anyone

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card