Showing results for 
Search instead for 
Did you mean: 

Advice on dual ISP routes, PBR, ASA... All the good stuff

Hi All,

I'm sure there are many threads on how to configure dual ISP's with Policy Based Routing & the issues involved with using a single ASA in this enviroment. But this won't be one of those threads. The network i'm about to discuss actually works just fine & we are happy with the performance. What I am after is some advice or feedback on the way I have it currently configured. If you look at the attached picture, the network started out as simple as the SG300-28P (in L2 mode) looking after a handful of hosts, a few security cameras & a single ESXi server with the 1941 with an ADSL2+ connection. Since I took over its grown to represent the attached diagram. I now have the SG300 in L3 mode & is looking after the VLAN routing. It will soon be replaced with something not from the 'Small Business' product range. One group of users on a particuar vlan  (VLAN 80) are very multimedia intensive & were consuming all the bandwidth of the ADSL connection, so we added a cable connection as well, this introduced me to PBR which works great on the 1941. At the same time a few users required secured remote connections. So I got the ASA 5510 with the AnyConnect license & installed it, which is all up & running. Due to the SSL VPN's coming in from the public IP of the cable connection, I terminated the cable modem directly to the ASA. This is the bulk of the companies internet traffic with only that one particular VLAN using the ADSL connection due to the unlimited download contract we have with the ISP (ISP1).

I've since added an IOS ZBF (Thanks to Keith Barker's videos for the assistance) to do stateful filtering of the ADSL traffic on int Dialer1 from VLAN 80's subnet. I'm wondering now if I should have terminated both Internet connections to the 1941 (via a switch & dot1q trunk) & put the ASA downstream to handle ALL the traffic? Obviously ISP2 will still be the default gateway & PBR will push traffic from VLAN 80 out the Dialer1 interface to ISP1 for VLAN 80. I'm curious as to what static NAT rules would I need to add in order for the SSL VPN to continue through the 1941 & terminate to the ASA? I'm genuinely curious as to what everyone thinks of the current network & if I should change it?