03-23-2007 07:42 AM - edited 03-11-2019 02:51 AM
Dual ISP Setup
How can an ASA5510 be used to connect a network to the Internet using dual ISPs?
The Parameters:
DSL Circuit to ISP 1 (5.5.5.0/255.255.255.0)
T1 circuit to ISP 2 (7.7.7.0/255.255.255.0)
Internal network with non-routable address space (10.10.10.0/255.255.255.0).
No BGP
The goals are:
a) is to be able to load balance across the two connections
b) to be able to connect from the outside using both connections (VPN to each external interface independently).
Yes. I know.. there are other posts. I've already read all the other ones on the subject and still don't have a satisfactory answer.
Right now, the setup is as follows:
interface Ethernet0/0
nameif DSL
security-level 0
ip address 5.5.5.1 255.255.255.0
interface Ethernet0/1
nameif TEE
security-level 0
ip address 7.7.7.1 255.255.255.0
interface Ethernet0/2
nameif internal
security-level 50
ip address 10.10.10.1 255.255.255.0
global (DSL) 30 interface
global (TEE) 30 interface
nat (Internal) 30 10.10.10.0 255.255.0.0
The next hop gateway for the DSL circuit is 5.5.5.10
The next hop gateway for the T1 ISP is 7.7.7.10
When the route is as follows:
route DSL 0.0.0.0 0.0.0.0 5.5.5.10 1
Then the connections are NAT'ed and routed out of the DSL interface.
When the route is as follows:
route TEE 0.0.0.0 0.0.0.0 7.7.7.10 1
Then the connections are NAT'ed and routed out of the T1 interface.
I've put the ISP's on seperate interfaces so that the NAT functionality can switch over correctly.
When the route is switched to DSL, NAT changes to using the DSL IP. When the route is changed to the T1, NAT changes to use the T1 IP.
As most know, the problem is two default routes cannot be defined on the ASA. So one has to choose between one or the other circuit. Route tracking can also be setup for failover. But that doesn't solve the problem.
So the question is, how can this be done?
I've read some of some possible solutions, but as I mentioned, nothing seemed definite:
Using OSPF routing?
Multiple context with some load balancing between multiple contexts?
Some sort of fancy arp mechanism?
Having a seperate router that can route based on Source IP?
Getting a cheapo dual wan router to share the circuits?
Thanks for all replies.
03-23-2007 07:47 AM
Unfortunately,ASA cannot do the load balancing.
However,I believe you must have read about the ISP fallback feature where one link remains
active and the other ISP link act as a standby link.In case the active link fails,then the
stadby link start pasisng the traffic.So,there's bare minimum disruption of service.
Here's a link which explains ISP fallback in detail :
http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_exa
mple09186a00806e880b.shtml
The major issue here is the source based routing which is not supported by pix/asa.
For the internet traffic,we need to setup a default route.
route outside 0 0 1.1.1.1
considering 1.1.1.1 as the default gateway.
So,all the traffic will be sent to this default gateway.
We cannot tell the firewall,let's say:
to send the traffic to isp1 interface when the source is vlan1.
and to send the traffic to isp2 interface when the source is vlan2.
So,even if you create two vlan's on the inside and divide the internal traffic to go to
two different isp links,it'll not be a viable option as asa only understand the
destination based route.As detination is internet traffic,a common segment on the two isp
links,we get a route conflict.
The only viable option is to configure active/active failover with two isp links.Configure
two contexts on the asa's.Let's say,
ON ASA1 :context A would be the active / context B would be standby.
ON ASA2 :context B would be the active / context A would be standby.
So,by this you can send the traffic from vlan1 through the context A.
And the traffic from vlan2 through context B.
Here are few links which explains configuration active/active failover ( Multiple context
in detail ) :
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_g
d/general/contexts.htm ( Multiple context general )
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_g
d/general/mngcntxt.htm ( Adding and managing security contexts )
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_g
d/general/failover.htm#wp1096075 ( Configuring active/active failover )
hth
sushil
cisco tac
09-15-2009 03:19 AM
I've used load balancing with two ISPs.
After my ASA I put two routers, every router attached on a ISP and ASA is configured with two default routes.
Everthing work out fine but there are some issues about Inbound connections that you have to pay attention.
03-23-2007 04:19 PM
option 4 and 5 seems good choice
05-19-2009 07:48 AM
So it looks like no one is doing this or it's not possible?
05-23-2009 08:19 AM
The only way to load balance outbound is to have two routes of equal cost. Since you can not have 2 default routes with the equal cost on the ASA, you simply can not do it.
Failover using the track command is the only option with an ASA at this point in time.
11-05-2009 01:20 PM
Jermey -
I am confused about your statement:
"ince you can not have 2 default routes with the equal cost on the ASA, you simply can not do it."
In the ASA Configuration Guide
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_static.html#wp1121580
it states:
"You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry."
11-06-2009 09:57 AM
As people have mentioned, you can't use your ASA to *actively* use both your ISP's at the same time. Your best bet, if you want to use both ISP's, is to purchase a router to stick outside the FW. Once you have a router outside your firewall you will have multiple options to fulfill your requirements.
I run a similar setup where I have a router outside my firewall, and I use a route-map on the router to point traffic to different ISP's depending on the NAT groups the traffic is coming from on the ASA. It works great.
Good luck,
Brandon
03-09-2011 09:57 AM
The following document might be worth going through:
https://supportforums.cisco.com/docs/DOC-15622
Let me know if that helps.
Regards,
Atri
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide