Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6744
Views
0
Helpful
5
Replies

Using Dual ISP's with ASA5505

Go to solution
razorbakill
Level 1
Level 1

‎10-02-2010 11:43 AM - edited ‎03-11-2019 11:49 AM

for the purpose of a redundency, incase the primary ISP goes down the backup kicks in.

Can this be done with the basic license (max 3 vlans) or you need to have the security plus license. (20 vlans)

Currently not using the 3rd vlan (dmz)

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jia Liu
Cisco Employee
Cisco Employee

‎10-02-2010 03:29 PM

You would need the security plus license.

View solution in original post

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Jia Liu

‎10-02-2010 03:51 PM

With the base license you do get  3 zone (2 regular zones and 1 restricted zone). But with the restricted zone you can only talk to one vlan either inside or outside.  For redundancy to work when one ISP goes down you would want the 3-rd zone to talk to the inside and outside.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/license.html#wp1330679

With the Base license, the third VLAN must be configured with the no forward interface command to restrict this VLAN from initiating contact to one other VLAN.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1934395

So, you need security plus license so, you will not have this restriction.

-KS

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jia Liu
Cisco Employee
Cisco Employee

‎10-02-2010 03:29 PM

You would need the security plus license.

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Jia Liu

‎10-02-2010 03:51 PM

With the base license you do get  3 zone (2 regular zones and 1 restricted zone). But with the restricted zone you can only talk to one vlan either inside or outside.  For redundancy to work when one ISP goes down you would want the 3-rd zone to talk to the inside and outside.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/license.html#wp1330679

With the Base license, the third VLAN must be configured with the no forward interface command to restrict this VLAN from initiating contact to one other VLAN.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1934395

So, you need security plus license so, you will not have this restriction.

-KS

0 Helpful

Go to solution
razorbakill
Level 1
Level 1
In response to Kureli Sankar

‎10-03-2010 12:28 PM

I had a feeling you needed the security plus,

Thanks for confirming

0 Helpful

Go to solution
Nikita Borodavko
Level 1
Level 1
In response to Jia Liu

‎04-02-2013 12:01 PM

Can you explain me some in this case.

You said "But with the restricted zone you can only talk to one vlan either inside or outside"

Does this mean that restricted zone can only talk with one other zone?

For example, why we can't do so with ASA base license:

create VLAN 1 for INSIDE

create VLAN 2 for main ISP

create VLAN 3 ( restricted, this VLAN can communicate only with one other, right?) for backup ISP and it will communicate only with VLAN 1 INSIDE.

VLAN 3 (backup ISP) should not communicate with main ISP vlan.

What's wrong with my thinking?

Thanks in advance for your reply

0 Helpful

Go to solution
John Peterson
Level 1
Level 1

‎04-17-2012 10:52 AM

It makes sence that you don't need a set plus license to have ISP failover as your outside traffic would never forward traffic to the failover ISP.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card