Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
326
Views
5
Helpful
3
Replies

Quick questions on ASA 5510 and Dual ISPs

Go to solution
Mike Bowers
Level 1
Level 1

‎10-28-2015 03:47 PM - edited ‎03-11-2019 11:48 PM

Hello!

I've been researching having two ISP connections and I'm getting mixed information from what I've been reading. Overall, it sounds like it is not supported on the ASA 5510, but if someone can confirm that and elaborate why, I'd appreciate it!

I'm looking to ditch a Cisco router which has a second ISP attached. It is performing PBR and sending everything out the ASA 5510. If the internet feed through the 5510 is unavailable, it defaults all traffic through the second ISP feed that is attached directly to the Cisco router.

My question is, since PBR isn't supported on the ASA 5510, does that mean that two active ISPs is not possible?  We have email coming in through ISP 2, and websites, clients, and everything else going through ISP 1.

Would the only way to make this work would be to redirect email through ISP 1, and have ISP 2 not used at all unless ISP 1 is down and have them both plugged into the ASA and the router ditched?

Thanks for any elaboration on this!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎10-28-2015 07:23 PM

Hi Mike,

You are right.  PBR is not supported on ASA5510 as this feature is introduced from version 9.4.1 and ASA5510 last supported image is 9.1.6.

Solution of keeping both the ISP active with ASA5510 is implemented with PBR on next hop router.

If you are not implementing PBR on next hop router then only one ISP could be active at a time and another would only be available if first one goes down. However both the  ISP could be utilized through ASA by keeping one ISP for Outbound connections and One ISP for Inbound connections.

ASA works in a way if an Inbound connections comes on an Static NAT then the return packet would follow the same interface to exit which it used to enter(as the entry is already xlate created).

Example 

route outside1 0 0 20.1.1.2 1

route outside2 0 0 30.1.1.2 2

object net obj-internet

subnet 0 0 

 nat(inside,outside1) dynamic interface

object net obj-server

 host 10.1.1.1

 nat(inside,outside2) static 30.1.1.3 service tcp 80 80

Now with this if the traffic is initiated from Inside for internet it would go out taking the first nat statement with first default route.

If the traffic is initiated from outside2 on IP 30.1.1.3 for port 80 then it would be redirected to inside and the return packet would go through outside2 by usking the already created xlate and using the 2nd default route.

Please let me know if you have any queries.

Regards,

Akshay Rastogi

View solution in original post

3 Replies 3

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎10-28-2015 07:23 PM

Hi Mike,

You are right.  PBR is not supported on ASA5510 as this feature is introduced from version 9.4.1 and ASA5510 last supported image is 9.1.6.

Solution of keeping both the ISP active with ASA5510 is implemented with PBR on next hop router.

If you are not implementing PBR on next hop router then only one ISP could be active at a time and another would only be available if first one goes down. However both the  ISP could be utilized through ASA by keeping one ISP for Outbound connections and One ISP for Inbound connections.

ASA works in a way if an Inbound connections comes on an Static NAT then the return packet would follow the same interface to exit which it used to enter(as the entry is already xlate created).

Example 

route outside1 0 0 20.1.1.2 1

route outside2 0 0 30.1.1.2 2

object net obj-internet

subnet 0 0 

 nat(inside,outside1) dynamic interface

object net obj-server

 host 10.1.1.1

 nat(inside,outside2) static 30.1.1.3 service tcp 80 80

Now with this if the traffic is initiated from Inside for internet it would go out taking the first nat statement with first default route.

If the traffic is initiated from outside2 on IP 30.1.1.3 for port 80 then it would be redirected to inside and the return packet would go through outside2 by usking the already created xlate and using the 2nd default route.

Please let me know if you have any queries.

Regards,

Akshay Rastogi

Go to solution
Mike Bowers
Level 1
Level 1
In response to Akshay Rastogi

‎10-29-2015 01:24 AM

Thank you for explaining everything so well and confirming!

I have a solid understanding of my options now to move forward.

0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to Mike Bowers

‎10-29-2015 01:44 AM

You're Welcome.

Regards,

Akshay Rastogi

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card