08-14-2013 12:31 AM - edited 03-11-2019 07:25 PM
Hi,
Do have cisco asa 5515-x with us we are terminating two ISP on it, also configured the vlan base traffic separation on both ISP (load Balancing kind thing)
Just want to know what are all parameter need to be taken into consideration at configuration.
Thanks in advance
Regards;
Anil.
08-14-2013 12:37 AM
Hi,
So are you saying that you want to use both ISP links at the same time?
If I am not totally wrong, there is no official way Cisco would recomend doing this. The only setup I think they support is using the other ISP as backup which only activates when the primary ISP fails.
Naturally when the ASA is virtualized into Multiple Context mode then you can use different ISPs for different Security Contexts.
And unofficial way of utilizing both ISPs would be to use the NAT configurations on the ASA to separate certain subnets/hosts traffic to certain ISP link.
- Jouni
08-14-2013 01:49 AM
Thanks for the reply,
yes we want to utilise both link simultaneously, but here trffic seperation would be on VLAN base.
i think it has to work. Just required guide line.
Anil
08-14-2013 03:24 AM
Hi,
The problem with this kind of setup if you are going to do it with a single ASA that is NOT virtualized is the fact that Cisco doesnt officially support this.
So I doubt you will be able to find a guide for this from Cisco.
However to give you an example what I have tested briefly for users here on Cisco Support Community
Lets say we have this situation
Lets then presume the following base information for the ASA
Then the very basic configurations (not all) should look something like this
INTERFACE CONFIGURATIONS
interface GigabitEthernet0/0
description ISP-1
nameif ISP-1
security-level 0
ip address 1.1.1.2 255.255.255.248
interface GigabitEthernet0/1
description ISP-2
nameif ISP-2
security-level 0
ip address 2.2.2.2 255.255.255.248
interface GigabitEthernet0/2
description LAN1
nameif LAN1
security-level 100
ip address 10.10.10.1 255.255.255.0
interface GigabitEthernet0/3
description LAN2
nameif LAN2
security-level 100
ip address 10.10.20.1 255.255.255.0
interface GigabitEthernet0/4
description DMZ1
nameif DMZ1
security-level 50
ip address 192.168.10.1 255.255.255.0
interface GigabitEthernet0/5
description DMZ2
nameif DMZ2
security-level 50
ip address 192.168.20.1 255.255.255.0
DEFAULT ROUTES
route ISP-1 0.0.0.0 0.0.0.0 1.1.1.1 1
route ISP-2 0.0.0.0 0.0.0.0 2.2.2.1 254
OBJECTS FOR NAT
object network LAN1
subnet 10.10.10.0 255.255.255.0
object network LAN2
subnet 10.10.20.0 255.255.255.0
object network DMZ1
subnet 192.168.10.0 255.255.255.0
object network DMZ2
subnet 192.168.20.0 255.255.255.0
object network ANY-0.0.0.0-1
subnet 0.0.0.0 128.0.0.0
object network ANY-128.0.0.0-1
subnet 128.0.0.0 128.0.0.0
object-group network ALL
network-object object ANY-0.0.0.0-1
network-object object ANY-128.0.0.0-1
BASIC NAT CONFIGURATIONS
nat (LAN1,DMZ1) source static LAN1 LAN1 destination static DMZ1 DMZ1 description LAN1 to DMZ1 traffic UNNATED
nat (LAN2,DMZ2) source static LAN2 LAN2 destination static DMZ2 DMZ2 description LAN2 to DMZ2 traffic UNNATED
nat (LAN1,ISP-1) source dynamic LAN1 interface destination static ALL ALL description Default PAT for LAN1 ISP-1 traffic
nat (DMZ1,ISP-1) source dynamic DMZ1 interface destination static ALL ALL description Default PAT for DMZ1 ISP-1 traffic
nat (LAN2,ISP-2) source dynamic LAN2 interface destination static ALL ALL description Default PAT for LAN2 to ISP-2
nat (DMZ2,ISP-2) source dynamic DMZ2 interface destination static ALL ALL description Default PAT for DMZ2 to ISP-2
The VERY VERY IMPORTANT thing to notice with configuring such a NAT is that the NAT order will be playing an even bigger role than in normal users ASA configuration.
You will be essentially configuring all NAT configurations as Manual NAT in Section 1
So lets say you needed to add Static NAT for servers then those configurations would be added between the LAN -> DMZ and LAN/DMZ -> ISP NAT configurations. If they would simply be added wihtout ordering numbers then the Dynamic PAT configuration would override them.
So as you might see, this will create a configuration that will require a lot more carefull consideration when creating rules.
As its not officially supported way of accomplishing this from Cisco you might also be more likely to run into problems with the NAT configurations.
I will also have to say that this is not something that I have used in a production environment either, just briefly tested. Also I wrote this all out of my head so it might contain some typos or errors.
Hope this helps though
Please do remember to mark a reply as the correct answer if it answered your question.
Also feel free to ask more if needed
- Jouni
08-14-2013 03:37 AM
Corrected typo in the other "route" command
- Jouni
06-07-2014 05:08 PM
Thanks for testing this for users. I wanted to give your 5 stars but for some reason it does not allow me to go beyond 2. Any reason?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide