cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
38682
Views
35
Helpful
6
Comments
sokakkar
Cisco Employee
Cisco Employee

 

 

Introduction

Dual ISP implementation on ASA

 

Topology

Terminating two ISPs on ASA/PIX-
---------------------------

 

    
       ISP1------------------Internet
      1.1.1.2                            |   
         |                                    |
         |                                    |
         |                                    |
      1.1.1.1                            |
      ASA|2.2.2.1----2.2.2.2|ISP2
      3.3.3.1
        |
        |
    Internal Network

 

Lets say you have the above setup, with ISP1 being the Primary ISP and ISP2 being the Secondary ISP.

 

There is a concept of ISP failback in which all traffic goes out using ISP1 and if it fails, ASA/PIX starts routing traffic via ISP2. You can configure the same using the following link:

 

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

 

Now, if you do not want to configure ISP failback, then these are the possible scenarios with two ISPs:

 

Scenario 1

If you have two ISPs and you want to use the first one for outbound Internet access for hosts on your inside network and use the second ISP for people on the Internet to access your servers. Here are the commands which can accomplish this:

 

global (ISP1) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,ISP2) 2.2.2.4 172.16.1.2 netmask 255.255.255.255

 

Open appropriate acl on ISP2 interface.

 

route ISP1 0 0 1.1.1.2 1     //Default route pointing to ISP1
route ISP2 0 0 2.2.2.2 2     //Default route with Metric 2 via ISP2

 

The backup route has a higher metric so it will not show up in the routing table. However it does exist in the 'topology table' in the ASA. Use ' show asp table routing' to verify.

 

When the SYN packet from client on Internet hits the 'ISP2' interface of the ASA, it forwards that to the server in DMZ and builds a state/connection table for that. The return SYN-ACK packet from the server is routed based on the existing connection. This is when the 'ISP2' route with higher metric comes in play and the ASA forwards the packet to 2.2.2.2 device.

In short, this will only work for connections that are initiated from Internet destined to the backup interface subnet.

 

Scenario 2

Now, if you does not want to configure ISP failback, but you need  to route Web (port 80,443) traffic via ISP2 and all other traffic via ISP1. This requires PBR, which is not supported on ASA/PIX, but we can configure a workaround on ASA/PIX to make it work.

 

Following are the commands which will achieve it-

 

route ISP1 0 0 1.1.1.2        //Default route pointing to ISP1
route ISP2 0 0 2.2.2.2 2     //Default route with Metric 2 via ISP2

 

static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80
static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443

 

sysopt noproxyarp inside

 

NOTE:

This configuration will send all TCP 80 and 443 traffic through ISP2 but this may cause additional problems in certain scenarios e.g. while sending 'shuns'. This is because ASA knows 0.0.0.0 0.0.0.0 to be on ISP2 and thus 'shun' may be sent through ISP2 always.

 

nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface

 

Now all the traffic destined to any address on port 80/443 will be forcibly put on ISP2 interface and routed from there.

 

Note: This stuff requires that we KNOW what the destination ports are, if there is some traffic which uses dynamic ports, like voice traffic we will have to route it via ISP1 and cannot make it route via ISP2.

 

Scenario 3

In the same setup, we can utilize both ISP's to an extent instead of using only one ISP at a time. Although we cannot *truly* achieve load balancing with ASA, but we may configure ASA in such a manner that traffic for some destination IP address is routed via ISP1 and some is routed via ISP2.

 

Following would be configuration commands in this scenario-

 

nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface

 

route ISP1 128.0.0.0 128.0.0.0 1.1.1.2
route ISP2 0.0.0.0 128.0.0.0 2.2.2.2

 

The first creates a default route that routes addresses with the first  bit of 1 to 1.1.1.2 of ISP1.

 

The second creates a default route that routes addresses with the first bit of 0 to 2.2.2.2 of ISP2.

 

Note: This will do traffic routing based on *Destination* IP addresses and NOT based on traffic load.

 

Scenario 4

Problem
User wants to know how he can achieve to configure ISP failover. He wishes to access the exchange server as usual when this happens. Any ideas on how to make that happen? Outgoing failover seems to be straight forward with static routes, IP SLA, and Natting with Route-maps but the incoming bits seems a bit illusive based on his research. 


Solution:

Scenario 4 (ASA Dual ISP Failover (With exchange access)).
Normally when you set up exchange on outlook, or access it through outlook web access...etc. you enter something like mail.company.com or mail.company.com/owa...or similar.  The domain name is you bought needs to be "pointed" at your public IP address so you are able to access that IP by using the URL.  These settings are found when you log into the website of the company you bought the domain from...normally.

So, If you want to use two different ISPs for redundancy, you would need to somehow redirect that email and web traffic to the second ISP when the primary ISP has failed.

When I say do it manually, I mean that you should go into the settings for your domain name and "point" the domain name to the backup ISP IP when there is a failover situation.

Just for clarification, the ASA is not able to have route-maps.  that is router's function.

Other than that, yes the inbound traffic will be more difficult.  The problem here will mainly be DNS.  Since your exchange and perhaps even web traffic will be going towards company.com, this name will be resolving to the ASA's outside interface.  So when the fail-over happens you would need to redirect those URLs to the new public IP. 

 

Comments
ely.jaramillo
Community Member

Great article - for scenerio 1 do you need the secuirty plus license on the ASA (5505 in my case)? I recall setting up failover  on the base license and having to use the no forward command to get it to work.

shine pothen
Level 3
Level 3

Good Article

HANOI03209
Level 1
Level 1

Hi all,

Could you help me for this case?

I have the diagram as above. I want to configure the ASA:

- If internal users access to abc.com, they will go through ISP1.

- If internet users access to xyz.com, they will go through ISP2.

How to do this???

Thank you very much!

 

dbrandolese
Level 1
Level 1

Thank you a lot, great article !!!
 

joseabra
Community Member

Thanks for the article!! really helpful!! 

razzaque003
Level 1
Level 1
@sokakkar wrote:

 

 

Introduction

Dual ISP implementation on ASA

 

Topology

Terminating two ISPs on ASA/PIX-
---------------------------

 

    
       ISP1------------------Internet
      1.1.1.2                            |   
         |                                    |
         |                                    |
         |                                    |
      1.1.1.1                            |
      ASA|2.2.2.1----2.2.2.2|ISP2
      3.3.3.1
        |
        |
    Internal Network

 

Lets say you have the above setup, with ISP1 being the Primary ISP and ISP2 being the Secondary ISP.

 

There is a concept of ISP failback in which all traffic goes out using ISP1 and if it fails, ASA/PIX starts routing traffic via ISP2. You can configure the same using the following link:

 

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

 

Now, if you do not want to configure ISP failback, then these are the possible scenarios with two ISPs:

 

Scenario 1

If you have two ISPs and you want to use the first one for outbound Internet access for hosts on your inside network and use the second ISP for people on the Internet to access your servers. Here are the commands which can accomplish this:

 

global (ISP1) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,ISP2) 2.2.2.4 172.16.1.2 netmask 255.255.255.255

 

Open appropriate acl on ISP2 interface.

 

route ISP1 0 0 1.1.1.2 1     //Default route pointing to ISP1
route ISP2 0 0 2.2.2.2 2     //Default route with Metric 2 via ISP2

 

The backup route has a higher metric so it will not show up in the routing table. However it does exist in the 'topology table' in the ASA. Use ' show asp table routing' to verify.

 

When the SYN packet from client on Internet hits the 'ISP2' interface of the ASA, it forwards that to the server in DMZ and builds a state/connection table for that. The return SYN-ACK packet from the server is routed based on the existing connection. This is when the 'ISP2' route with higher metric comes in play and the ASA forwards the packet to 2.2.2.2 device.

In short, this will only work for connections that are initiated from Internet destined to the backup interface subnet.

 

Scenario 2

Now, if you does not want to configure ISP failback, but you need  to route Web (port 80,443) traffic via ISP2 and all other traffic via ISP1. This requires PBR, which is not supported on ASA/PIX, but we can configure a workaround on ASA/PIX to make it work.

 

Following are the commands which will achieve it-

 

route ISP1 0 0 1.1.1.2        //Default route pointing to ISP1
route ISP2 0 0 2.2.2.2 2     //Default route with Metric 2 via ISP2

 

static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80
static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443

 

sysopt noproxyarp inside

 

NOTE:

This configuration will send all TCP 80 and 443 traffic through ISP2 but this may cause additional problems in certain scenarios e.g. while sending 'shuns'. This is because ASA knows 0.0.0.0 0.0.0.0 to be on ISP2 and thus 'shun' may be sent through ISP2 always.

 

nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface

 

Now all the traffic destined to any address on port 80/443 will be forcibly put on ISP2 interface and routed from there.

 

Note: This stuff requires that we KNOW what the destination ports are, if there is some traffic which uses dynamic ports, like voice traffic we will have to route it via ISP1 and cannot make it route via ISP2.

 

Scenario 3

In the same setup, we can utilize both ISP's to an extent instead of using only one ISP at a time. Although we cannot *truly* achieve load balancing with ASA, but we may configure ASA in such a manner that traffic for some destination IP address is routed via ISP1 and some is routed via ISP2.

 

Following would be configuration commands in this scenario-

 

nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface

 

route ISP1 128.0.0.0 128.0.0.0 1.1.1.2
route ISP2 0.0.0.0 128.0.0.0 2.2.2.2

 

The first creates a default route that routes addresses with the first  bit of 1 to 1.1.1.2 of ISP1.

 

The second creates a default route that routes addresses with the first bit of 0 to 2.2.2.2 of ISP2.

 

Note: This will do traffic routing based on *Destination* IP addresses and NOT based on traffic load.

 

Scenario 4

Problem
User wants to know how he can achieve to configure ISP failover. He wishes to access the exchange server as usual when this happens. Any ideas on how to make that happen? Outgoing failover seems to be straight forward with static routes, IP SLA, and Natting with Route-maps but the incoming bits seems a bit illusive based on his research. 


Solution:

Scenario 4 (ASA Dual ISP Failover (With exchange access)).
Normally when you set up exchange on outlook, or access it through outlook web access...etc. you enter something like mail.company.com or mail.company.com/owa...or similar.  The domain name is you bought needs to be "pointed" at your public IP address so you are able to access that IP by using the URL.  These settings are found when you log into the website of the company you bought the domain from...normally.

So, If you want to use two different ISPs for redundancy, you would need to somehow redirect that email and web traffic to the second ISP when the primary ISP has failed.

When I say do it manually, I mean that you should go into the settings for your domain name and "point" the domain name to the backup ISP IP when there is a failover situation.

Just for clarification, the ASA is not able to have route-maps.  that is router's function.

Other than that, yes the inbound traffic will be more difficult.  The problem here will mainly be DNS.  Since your exchange and perhaps even web traffic will be going towards company.com, this name will be resolving to the ASA's outside interface.  So when the fail-over happens you would need to redirect those URLs to the new public IP. 

 


Ok, I need to configure as per scenario 1. However, instead of just one server (172.16.1.2), I need to access a particular subnet from the internet (we got several servers hosted in our environment that we need to access from the internet.).

 

Here is the scenario:

Two ISP's: ISP1 and ISP2

Two LAN subnets: Inside_user and Inside_server

 

Inside_user traffic towards  internet through ISP1 

Internet traffic to Inside_server through ISP2 (ISP2 ASA interface IP a.b.c.d and Inside_server subnet q.w.e.0)

 

What should the configuration be like?

 

global (ISP1) 1 interface
nat (Inside_user) 1 0.0.0.0 0.0.0.0
static (inside_server,ISP2) a.b.c.d q.w.e.0 netmask 255.255.255.0

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: