07-29-2008 04:30 AM - edited 02-21-2020 02:56 AM
Hi All,
Is there anyway I can load balance accross two routers.
I have an ASA with two routers attached each of the routers has two instances of HSRP running on them each with its own IP address, each router is the primary for one of the HSRP instances. If there was no ASA in the way I would set DHCP to run through one and all the server functions through another hey presto load balancing (of a sort). However I can not do this as the ASA has only one internal IP address. The routers are handling natting as they are on different IP ranges on different ISPs.
I can not use GLBP as the changing external IP would break connections for VPN RDP and SMTP.
Is there any way I can make the ASA route based on source IP or any other way of seperating out the traffic between the two routers?
Thanks in advance,
Scott
Solved! Go to Solution.
07-29-2008 08:47 PM
you cant route based on source ip with firewall only with router possiable by PBR
you can make to static routes each one point to deffrent router with deffrent metric
in this case it will make the topology like active standby which not good in your case
but you can use sub interfaces on your ASA intis case make each subinterface in deffrent subnet and deffrent security level
and let each subinterface use deffrent hsrp instance
or there is another way
IF you dont use VPN on your ASA u can achive it by useing multiple context
in multiple context you gonna separate your firewall virtualy
so if you have two vlans in your inside network (two deffrent subnets)
then each subnet will use deffrent firewall virtually
u goona divide the internal interface to two subinterfaces
and you can use one outside interface shred between the context or also separate it to two subinterfaces
and allocate those interface to each context
so you gonna deal with each context as deffrent firewall
and you can use deffrent HSRP instance on each context
but with multiple context you cant use VPN on the firewall
*****use the following method*****
THE OTHER WAY WHICH ALSO I SUGIST YOU TO TRY IT WHICH IS THE Transparent Firewall
in the case your firewall will operate in L2 mode
so you can use the routers HSRP IPS AS there is no firewall in the path
which i thnk helpful in you case aslo
in transperante mode the defaultgate way for your client will be the hsrp IP because the firewall will not have any IPs exept for managment
also the useres will be in the same IP subnet as the gateway in your case HSRP VIP
and also you can control the network security through the firewall normally
try this way and let me know
see the following link for configuration
please, Rate if helpful
07-29-2008 08:47 PM
you cant route based on source ip with firewall only with router possiable by PBR
you can make to static routes each one point to deffrent router with deffrent metric
in this case it will make the topology like active standby which not good in your case
but you can use sub interfaces on your ASA intis case make each subinterface in deffrent subnet and deffrent security level
and let each subinterface use deffrent hsrp instance
or there is another way
IF you dont use VPN on your ASA u can achive it by useing multiple context
in multiple context you gonna separate your firewall virtualy
so if you have two vlans in your inside network (two deffrent subnets)
then each subnet will use deffrent firewall virtually
u goona divide the internal interface to two subinterfaces
and you can use one outside interface shred between the context or also separate it to two subinterfaces
and allocate those interface to each context
so you gonna deal with each context as deffrent firewall
and you can use deffrent HSRP instance on each context
but with multiple context you cant use VPN on the firewall
*****use the following method*****
THE OTHER WAY WHICH ALSO I SUGIST YOU TO TRY IT WHICH IS THE Transparent Firewall
in the case your firewall will operate in L2 mode
so you can use the routers HSRP IPS AS there is no firewall in the path
which i thnk helpful in you case aslo
in transperante mode the defaultgate way for your client will be the hsrp IP because the firewall will not have any IPs exept for managment
also the useres will be in the same IP subnet as the gateway in your case HSRP VIP
and also you can control the network security through the firewall normally
try this way and let me know
see the following link for configuration
please, Rate if helpful
07-31-2008 12:03 AM
Thank you the transparent mode worked perfectly.
07-31-2008 01:27 AM
i am glad its working :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide