How to direct a 2 sub network to 2 different ISP

ldugueperoux · ‎07-27-2011

Hello,

With an ASA 5505, i would l like to guide a sub network to an ISP and another sub network to the other ISP.

I have 2 differents ISP.

My major problem is the metric.

I tried with access-list command to force the way out, but it seems that "metric" is stronger than "access-list".

I don't know how to manage such LAB. is that possible with ASA 5505 appliance ?

thanks for your next reply.

++

ldugueperoux · ‎07-27-2011

one more information about ASA 5505, it's a "security plus license".

++

ldugueperoux · ‎07-27-2011

As Jon Marshall wrote in his post about ASA Limitations, is that because ASA does not support ISP load balancing that

i did not manage to achieve my LAB ?

i guess yes.

++

varrao · ‎07-27-2011

Could you please provide the version of ASA that you are running, I am not able to remember the thread but I was able to provide a test config and it worked, so i would like you to kindly provide me the exact requirementa and the version you are using.

Thanks,

Varun

Thanks,
Varun Rao

ldugueperoux · ‎07-27-2011

Thanks for your reply !

below is the sh ver command result.

About my LAB, i have 2 hosts in my LAN => P1 and P2

ip address P1 : 10.0.0.3/24 GW 10.0.0.253

ip address P2 : 10.0.0.5/24 GW 10.0.0.253

GW 10.0.0.253 is the inside interface of ASA 5505.

I have 2 different ISP. (ISP 1 and ISP 2)

Each ISP has a specific eth on the ASA (no trunk).

Each host has a specific NAT Rule to go outside.

i would like that P1 goes outside with ISP 1 and P2 goes outside with ISP 2.

i hope to be clear enough. Ask for more detail.

ASA-5505# sh ver

Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 6.3(1)

Compiled on Thu 04-Mar-10 16:56 by builders
System image file is "disk0:/asa831-k8.bin"
Config file at boot was "startup-config"

ASA-5505 up 14 days 0 hours

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
0: Int: Internal-Data0/0    : address is 503d.e5e5.6308, irq 11
1: Ext: Ethernet0/0         : address is 503d.e5e5.6300, irq 255
2: Ext: Ethernet0/1         : address is 503d.e5e5.6301, irq 255
3: Ext: Ethernet0/2         : address is 503d.e5e5.6302, irq 255
4: Ext: Ethernet0/3         : address is 503d.e5e5.6303, irq 255
5: Ext: Ethernet0/4         : address is 503d.e5e5.6304, irq 255
6: Ext: Ethernet0/5         : address is 503d.e5e5.6305, irq 255
7: Ext: Ethernet0/6         : address is 503d.e5e5.6306, irq 255
8: Ext: Ethernet0/7         : address is 503d.e5e5.6307, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8              perpetual
VLANs                          : 20             DMZ Unrestricted
Dual ISPs                      : Enabled        perpetual
VLAN Trunk Ports               : 8              perpetual
Inside Hosts                   : Unlimited      perpetual
Failover                       : Active/Standby perpetual
VPN-DES                        : Enabled        perpetual
VPN-3DES-AES                   : Enabled        perpetual
SSL VPN Peers                  : 2              perpetual
Total VPN Peers                : 25             perpetual
Shared License                 : Disabled       perpetual
AnyConnect for Mobile          : Disabled       perpetual
AnyConnect for Cisco VPN Phone : Disabled       perpetual
AnyConnect Essentials          : Disabled       perpetual
Advanced Endpoint Assessment   : Disabled       perpetual
UC Phone Proxy Sessions        : 2              perpetual
Total UC Proxy Sessions        : 2              perpetual
Botnet Traffic Filter          : Disabled       perpetual
Intercompany Media Engine      : Disabled       perpetual

This platform has an ASA 5505 Security Plus license.

ldugueperoux · ‎07-29-2011

I read a lot since 2 days about ASA models.

If ASA 5505 (security + license) is not able to manage 2 simultaneous ISP, which CIsco appliance is able to do this ?

I also had a problem to create sub interface on ASA 5505, but now it's over :

"an asa5505 uses switchports, vlan itnerfaces, and switch like commands (such as "switchport access vlan x).

other asa's use subinterfaces - which are then trunked to switches. they use dot1q and are assigned to their vlans using the command "vlan x" in subinterface mode."

have a nice day ++

ldugueperoux · ‎08-02-2011

It's not really why i want, but it's the only thing i found about my issue.

http://www.networkstraining.com/cisco-asa-5500-dual-isp-connection/

Adam Makovecz · ‎08-02-2011

Hi Loic,

indeed thats the only one thing what you can do with the dual ISP. ASA cannot do loadbalancing, but you can use the second ISP as a backup connection.

cheers

Adam

ldugueperoux · ‎08-02-2011

Hi Adam,

thank you for your reply.

Which Cisco appliance can support loadbalancing ? i just looked but not found answer.

have a nice day,

Loïc

ldugueperoux · ‎08-02-2011

at least :

https://supportforums.cisco.com/thread/1003594