07-27-2011 12:38 AM - edited 03-11-2019 02:04 PM
Hello,
With an ASA 5505, i would l like to guide a sub network to an ISP and another sub network to the other ISP.
I have 2 differents ISP.
My major problem is the metric.
I tried with access-list command to force the way out, but it seems that "metric" is stronger than "access-list".
I don't know how to manage such LAB. is that possible with ASA 5505 appliance ?
thanks for your next reply.
++
07-27-2011 01:57 AM
one more information about ASA 5505, it's a "security plus license".
++
07-27-2011 06:46 AM
As Jon Marshall wrote in his post about ASA Limitations, is that because ASA does not support ISP load balancing that
i did not manage to achieve my LAB ?
i guess yes.
++
07-27-2011 06:51 AM
Could you please provide the version of ASA that you are running, I am not able to remember the thread but I was able to provide a test config and it worked, so i would like you to kindly provide me the exact requirementa and the version you are using.
Thanks,
Varun
07-27-2011 07:28 AM
Thanks for your reply !
below is the sh ver command result.
About my LAB, i have 2 hosts in my LAN => P1 and P2
ip address P1 : 10.0.0.3/24 GW 10.0.0.253
ip address P2 : 10.0.0.5/24 GW 10.0.0.253
GW 10.0.0.253 is the inside interface of ASA 5505.
I have 2 different ISP. (ISP 1 and ISP 2)
Each ISP has a specific eth on the ASA (no trunk).
Each host has a specific NAT Rule to go outside.
i would like that P1 goes outside with ISP 1 and P2 goes outside with ISP 2.
i hope to be clear enough. Ask for more detail.
ASA-5505# sh ver
Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 6.3(1)
Compiled on Thu 04-Mar-10 16:56 by builders
System image file is "disk0:/asa831-k8.bin"
Config file at boot was "startup-config"
ASA-5505 up 14 days 0 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
0: Int: Internal-Data0/0 : address is 503d.e5e5.6308, irq 11
1: Ext: Ethernet0/0 : address is 503d.e5e5.6300, irq 255
2: Ext: Ethernet0/1 : address is 503d.e5e5.6301, irq 255
3: Ext: Ethernet0/2 : address is 503d.e5e5.6302, irq 255
4: Ext: Ethernet0/3 : address is 503d.e5e5.6303, irq 255
5: Ext: Ethernet0/4 : address is 503d.e5e5.6304, irq 255
6: Ext: Ethernet0/5 : address is 503d.e5e5.6305, irq 255
7: Ext: Ethernet0/6 : address is 503d.e5e5.6306, irq 255
8: Ext: Ethernet0/7 : address is 503d.e5e5.6307, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
SSL VPN Peers : 2 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
AnyConnect Essentials : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5505 Security Plus license.
07-29-2011 01:38 AM
I read a lot since 2 days about ASA models.
If ASA 5505 (security + license) is not able to manage 2 simultaneous ISP, which CIsco appliance is able to do this ?
I also had a problem to create sub interface on ASA 5505, but now it's over :
"an asa5505 uses switchports, vlan itnerfaces, and switch like commands (such as "switchport access vlan x).
other asa's use subinterfaces - which are then trunked to switches. they use dot1q and are assigned to their vlans using the command "vlan x" in subinterface mode."
have a nice day ++
08-02-2011 01:24 AM
It's not really why i want, but it's the only thing i found about my issue.
http://www.networkstraining.com/cisco-asa-5500-dual-isp-connection/
08-02-2011 02:31 AM
Hi Loic,
indeed thats the only one thing what you can do with the dual ISP. ASA cannot do loadbalancing, but you can use the second ISP as a backup connection.
cheers
Adam
08-02-2011 02:51 AM
Hi Adam,
thank you for your reply.
Which Cisco appliance can support loadbalancing ? i just looked but not found answer.
have a nice day,
Loïc
08-02-2011 04:44 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide