DUAL ISP ASA

alfredobosca · ‎11-29-2015

Hello,

I want to configure an additional ISP on my ASA firewall. Thereby, I have 2 possible options:

1. Create a unique outside interface in subinterface mode directly connected to switch. The both ISP router will be connected to switch and te interfaces will be created in access mode.

2. Configure 2 outside interfaces and directly connected to both ISP routers.

What would be more feasible and more resilience in case of failover?

Thanks,

sambhaji.banapure1 · ‎11-29-2015

Hi,

2nd option will the best option.

* As both link are from ISP means both is having different IP Address range.

* In future it will be more useful to use features like Policy based routing .

* If you are looking for different bandwidth limitation then this option is good one.

Please mark as coorect answer if this answer your question.

Thanks

Sam

Karsten Iwen · ‎11-30-2015

I'm not sure if I read option 1) right. but I would choose 1) or a combination of 1) and 2):

If you have enough interfaces on the ASA, then configure two interfaces (outside1 and outside2) and connect them to your switch (or even better to two switches for redundancy). Both interfaces are member of different VLANs. The two provider-routers connect also to the two VLANs.

If you don't have enough ASA interfaces build two subinterfaces and connect them to a trunk. The rest is same as above.

If you connect the ASA interfaces directly to the routers, then you lose flexibility. Perhaps you want to add a failover ASA or an additional router at a later time. If there is a switch in between, you can do this without service-interruption. That is not possible if you connect your ASA directly to the routers.

If you can flexibly scedule downtimes and you only have one switch, the I probably would connect the routers directly to have one less single points of failures.