Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
821
Views
0
Helpful
4
Replies

Dual Homed ASA?

Nay-Sayer
Level 1
Level 1

‎02-06-2018 01:52 PM - last edited on ‎02-21-2020 11:35 PM by Community Manager

We have an Active/Standby pair of ASA5520 devices connected to the core with a /27 public IP address.  We also have an Active/Standby pair of ASA5525-X devices connected to the core with a /28 public IP address.  The default route from the core goes out the ASA5520 devices.  The ASA5525-X devices handle remote access users and P2P VPN links to remote sites.  There are services on our private network that are accessed publically from both sets of ASAs.  We would like to retire the ASA5520 devices.  However, the ISP who provides us with the /27 IP space refuses to allocate more IPv4 addresses.  As such, we don't have enough public IP addresses in our /28 IP address space to accommodate all the services we provide on the /27 public IP address space along with the existing services already provided using the /27 IP address space.  How can we go about properly setting up the ASA5525-X devices dual homed with both of our current ISPs and external facing services?

 

Thanks

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-06-2018 02:21 PM

If the address space is from the same ISP - can you not just ask them to route the existing /27 down your /28?

0 Helpful

Nay-Sayer
Level 1
Level 1
In response to Philip D'Ath

‎02-06-2018 02:25 PM - edited ‎02-06-2018 02:25 PM

@Philip D'Ath wrote:

If the address space is from the same ISP - can you not just ask them to route the existing /27 down your /28?


The /27 is from AT&T, the /28 is from Windstream.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Nay-Sayer

‎02-06-2018 02:28 PM

I have done this before, but it can be a bit nasty sometimes.

 

Configure two outside interfaces, outside-att and outside-windstream.  Then use policy routing to decide which outside interface to use.

 

For example, traffic from a public DMZ in the /27 goes out the ISP link that it belongs to.

0 Helpful

Nay-Sayer
Level 1
Level 1
In response to Philip D'Ath

‎02-06-2018 02:36 PM

@Philip D'Ath wrote:

I have done this before, but it can be a bit nasty sometimes.

 

Configure two outside interfaces, outside-att and outside-windstream.  Then use policy routing to decide which outside interface to use.

 

For example, traffic from a public DMZ in the /27 goes out the ISP link that it belongs to.

In my case, I would move the /27 [AT&T] connection over to the ASA5525-X devices which already have the existing /28 [Windstream] curcuit.  The default route would go out the Windstream connection.  My concern is how to properly route for *incoming* connections from the Outside-ATT interface to services on my private network.  Can you give more details on what kind of policy routing I need to do here?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card