Is it possible to load balance between two ISP links?
Presently it is not possible to load balance traffic between two ISP links on an ASA. The reason being, there can only be one default route configured on the ASA.
Does the ASA support PBR (Policy Based Routing)?
No, the ASA does not support PBR.
Does the ASA support secondary IP address on interfaces?
No, the ASA does not support secondary IP address on interfaces. This is not to be confused with the standby IP address configured on the interfaces for failover configuration.
What other options do we have?
SLA Route Tracking
With this method we can configure both the ISP links on the ASA and use the primary ISP for all outgoing traffic and then the secondary ISP, if the primary fails. Failure of the primary ISP causes a temporary disruption of traffic. Use this configuration for redundancy or backup purposes only.
With this method we can configure both the ISP links on the router outside the firewall. We can translate some traffic to use Primary ISP provided IP address and the rest of the traffic to use Secondary ISP provided IP address. Now, based on this source address that hits the router, we can configure the router to do policy based routing and route the traffic either via the Primary ISP or via the Secondary ISP.
Let us assume the requirement as below:
1. We would like all the users traffic translated to the ISP1 provided address
2. We would like all the servers traffic translated to the ISP2 provided address
3. The router should look at the translated addresses and based on the address it should set the next hop address and route the traffic via the appropriate ISP.
ISP1 provided address block is 10.10.10.0/24 and ISP2 provided address block is 172.18.124.0/24. These are not routable addresses. For simplicity reasons we are using RFC 1918 address space.
Translation for all users to take ISP 1 nat (inside) 1 192.168.2.0 255.255.255.0 global (outside) 1 10.10.10.1
Translation for web and e-mail servers to take ISP2 static (inside,outside) 172.18.124.20 192.168.2.20 netmask 255.255.255.255 static (inside,outside) 172.18.124.30 192.168.2.30 netmask 255.255.255.255
route outside 0 0 172.16.12.2
ip access-list ext isp1-addr
permit ip 10.10.10.0 0.0.0.255 any
ip access-list ext ips2-addr
permit ip 172.18.124.0 0.0.0.255 any
route-map ISP permit 10
match ip address isp1-addr
set ip next-hop 10.10.10.2
route-map ISP permit 20
match ip address isp2-addr
set ip next-hop 172.18.124.2
ip address 172.16.12.2 255.255.255.0
ip policy route-map ISP in
Allowing outbound via ISP1 and inbound via ISP2
Let us take the same example above. We can use one ISP1 for all outbound connections and use IPS2 for all inbound connections.
Translation for all outbound connections from users and servers to take ISP 1 nat (inside) 1 192.168.2.0 255.255.255.0 global (ISP1) 1 10.10.10.1
route ISP1 0 0 10.10.10.254
Here are the translations for inbound connections to the servers:
Translation for web and e-mail servers to take ISP2 static (inside,ISP2) 172.18.124.20 192.168.2.20 netmask 255.255.255.255 static (inside,ISP2) 172.18.124.30 192.168.2.30 netmask 255.255.255.255
In the previous case even the out bound connections made by the servers would take the ISP2 path but, in this example outbound connections from the web and e-mail servers will take ISP1. ONLY the INBOUND connections will come through ISP2 and will be responded back using ISP2.
Allowing internet access via ISP1 and L2L vpn via ISP2
The above example can also be used to allow internet access outbound and inbound via ISP1 with the default route pointing to ISP1 and VPN site to site tunnels can be terminated on the ISP2 interface by configuring specific routes to reach peer networks via IPS2.
Hi Community, “Hardware Bypass is not supported in high availability mode.”https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/inline_sets_and_passive_interfaces_for_firepower_threat_defense.htm...
Hi, I am just wondering if it is possible to monitor the failover of an ASA in multiple context mode, and even more finely tune that monitoring to include specific contexts failing over to a standby ASA? I am thinking syslog is probably the most like...
We have Cisco ASA firepower 5516 which stop working or hang everyday between 3 AM to 4 AM since last 1 month. i have noted when it's stop working or hang i even i am not able to access using by console . all ports stop works and blinking continues......
I am having an issue where the SGT value is not seen in the flow cache on the switch when the ip address is in the source field, but can see the SGT value in the Reply… The flow record config has the match source tag and destination tag config
Hi Experts, I would like to upgrade from virtual FMC to an appliance based FMC. IMO, the appliance always wins, but i need to build a business case for this shift. I've noted a few points to justify this requirement, but i need a lot more to con...