Hi Carvaja,

But with base license  on my other asa 5510, i am able to do the below config; so want to clarify that whether i will be able to

replica the same for my backup isp link as that of dmz interface below.

interface Ethernet0/0
description Inside Network SIG1CORE01 f0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.131.91.1 255.255.255.0
!
interface Ethernet0/1
description connection to Sintel 4 Mbps via SIG1ED01
speed 100
duplex full
nameif outside
security-level 0
ip address 203.125.90.194 255.255.255.240
!
interface Ethernet0/2
description STATE Failover Interface
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description DMZ
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet0/3.1
description DMZ management SIG1ED F0/3
vlan 51
nameif DMZ_MGMT
security-level 50
ip address 10.131.51.254 255.255.255.0
!
interface Management0/0
description LAN Failover Interface
no nameif
no security-level
no ip address

Hello Anand,

Are we going to use a 5510 or 5505

Its 5505, so it will not support that?.

if so what will be the cost difference of the 50 user vpn license and security plus license ;

for the asa 5505 to support this vlan or subinterface feature

Hello Anand,

Actually I have been thinking about it and it should work.

If you have a 5505 base license you will have a 3 vlan restriction.

This means the 3 vlan will only be able to contact another vlan.

So if you create vlan 1 inside, Vlan 2 outside ( Those 2 will be able to exchange data between each other with no issues)

Now the 3 vlan (Backup) is restricted ( will only be able to innitiate traffic to one interface)

So based on that for the 3 vlan you will need to be able to access inside so you should be good.

Hope this helps,

Any other question..Just remember to rate all of the helpful posts

SO you mean to say that the below config will work, but will the backup isp will be providing the internet fro remote vpn users in

case of primary link failure.

I will test this and let you know, thanks for the support et all.
-------------
interface Ethernet0/0
switchport access vlan 3
shutdown
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.91 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 115.109.194.203 255.255.255.224
!
interface Vlan3
no forward interface Vlan1
nameif Active
security-level 0
ip address 183.82.2.9 255.255.224.0

Thanks
Anand

Hello Anand,

Yes, it will as long as you have SLA monitoring and 2 crypto maps configured ( one on each vlan)

Let me know if you understand.

Regards,

Any other question..Just remember to rate all of the helpful posts

Hi,

I'd like to find out if this worked for you with only the Base License. Thanks.

no, it is not..we have to get security plus

hi,

Thanks for the reply. That's too bad.

Sorry if this sounds totally crazy, but thinking out loud, I thought of an interesting way to accomplish this with only two VLAN's without using the Sec+ license. Can someone tell me if this could work?

If :

1. The ASA uses private addressing (between outside interface and inside interface of ISP routers)

2. The ASA connects to two separate routers for the two ISP's

3. both ISP's routers are attached to the same "outside" VLAN on the ASA

4. both ISP's routers do the required NAT for user traffic

5. the inside clients are on the "inside" VLAN"

You can use two default routes combined with a separate interface tracking per route.

i.e.

ip route 0.0.0.0 0.0.0.0 (ip of 1st ISP gateway) track 1

ip route 0.0.0.0 0.0.0.0 (ip of 2nd ISP gateway) track 2

appropriate track 1 & 2 statements only tracking IP's which are only avaialble within each ISP and not available via both ISP's.

and lastly, an outside to outside deny ACL preventing both ISP routers from talking to each other.

the result is the inside network usually talks to the primary ISP, but in the event the tracking takes effect, the inside network talks thru the 2nd ISP via the secondary floating static route.

in my head, it sounds like it would work. I'm curious what others think, and if anyone has tried this.