multiple isp

viveknathmangalat33 · ‎02-21-2014

hi , wanted to configure 3 isp in cisco ASA.

with all being standalone.

is this possible with normal static routes towards specific default gateway.

and specific ips natted with that isp interface?

thanks

vivek

JohnTylerPearce · ‎02-21-2014

You can 100% connect three ISPs to an ASA, but you will need to understand that an ASA is firewall and no ta router.

Also, an ASA will not to policy-based routing (PBR).

Now, you could in theory have three interfaces on an ASA, one going to each ISP

Interface x -> ISP1

Interface y -> ISP2

Interface z -> ISP3

LAN Interface a -> LAN

You could then NAT to each ISP depending on subnet, and or do policy NAT.

Or you could have a router in front of the ASA connecting to these ISPs, and then have a /30 from the firewall to this router, and then you could nat based on any IP pretty easily.

viveknathmangalat33 · ‎02-22-2014

what atout routing, should we not have a default route?

JohnTylerPearce · ‎02-22-2014

You can put three default routes with the same administration distance. So you end up performing load balancing, but I'm not too sure how that will work.

If you wanted to do it this way, what I would do is, have the ASA go to a router that is attached to three ISP links. I would then setup your routing (link to the three different ISPs) on the router.

You can run into all inds of issues with an ASA, with three different ISP links. You may have to setup all kinds of NAT rules, ACLs ruels etc etc. I'm not saying it "wouldn't" work, but it could possibly be a pain.

viveknathmangalat33 · ‎02-27-2014

i am not sure this will work , where can put 3 default routes, because asa will ask for administrative distance.

we are routing from an l3 switch and then to firewall over internet, there is not router after our firewall

is there any way still?

thanks

vivk

viveknathmangalat33 · ‎02-24-2015

the best way is to do multiple context mode, have a router or a switch have floating static routes monitoring the ISPs Ips with SLA tracking and failing over.

So the customers will have a default gateway towards the vlan interface ip and switch will do the fail over.

thanks.

JohnTylerPearce · ‎02-28-2014

Are there 3 physical connections on your firewall for each ISP

Sent from Cisco Technical Support Android App

sean_evershed · ‎03-01-2014

ASAs do not support more than one active default gateway. Therefore to support three ISPs simultaneously you will need to enable multiple contexts on your firewall, one for each ISP. See below a link explaining the concept of contexts:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99131-multiple-context.html

Don't forget to rate all posts that are helpful.

viveknathmangalat33 · ‎03-03-2014

yes, there are 3 physical connections to ISP

JohnTylerPearce · ‎03-03-2014

Sean,

Good catch, I completely forgot about that.

Vive,

So, you have three different physical interfaces on the ASA with each going to a different ISP? If this is the case, you could load balance based upon NAT.

I believe you could configure NAT in such a way, that you NAT certain ranges to go out ISP1, ISP2, and then ISP3.

viveknathmangalat33 · ‎03-05-2014

hi John, Yss, we could nat it that way, but default routing will be a problem still.