Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
0
Helpful
2
Replies

Cisco ASA 5555X - Multiple ISPs and configuration

Jon Are Endrerud
Level 3
Level 3

‎12-14-2015 06:31 AM - edited ‎03-12-2019 06:09 PM

I've just started consolidation of a 5512x with one ISP and a 5550 with another ISP. The configuration is dumped on a 5555X with FW 9.2(3)4, which then will have 2 ISPs.

To make the migration day easy I want to use both ISPs for VPN/IPSec and internett traffic, both to and from the outside/inside. I thought there might be some functionality for this, but now Im not so sure. 

Previously I have had some experience using NAT to select the egress interface, but after learning that Cisco suddenly started to remove this functionality in some FW's I started using routing instead. But in the case of two ISPs, there will be two 0.0.0.0 routes, and I dont see how this could work. Also checked out the "track" funtion on routes, but this applies to a primary/secondary backup scenario.

The other posts on the subject are 2-3 years old, and Im wondering if someone can point in the right direction with the current FW releases and this scenario.

Thanx

Jon Are

Please rate as helpful, if that would be the case. Thanx
Labels:
0 Helpful
2 Replies 2

Maykol Rojas
Cisco Employee
Cisco Employee

‎12-14-2015 10:12 AM

Hi; 

So in the old 5500 series you could control the outbound interface only if the connection was initiated from outside, the the connection would remain through that interface. 

You can do the same thing here, of course with different syntax and new rules, or you can also configure now (depending on the version) PBR or policy base routing to select the outbound interface without the need to have NAT to help you do it. 

Mike. 

Mike
0 Helpful

Jon Are Endrerud
Level 3
Level 3
In response to Maykol Rojas

‎12-15-2015 04:34 AM

When using PBR you still need to define "destination". Lets say I have two inside interfaces, can I just use NAT with "Dynamic PAT(hide)" to send internett traffic to a selected outside interface ? This was possible with some of the 9.x.x fw, but not any longer. It will always check the routing table, even when "route-lookup" in unchecked state. This look like a support ticked for Cisco, really annoying that they took away these NAT functions.

Please rate as helpful, if that would be the case. Thanx
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card