To configure the ASA to send traffic through both ISPs simultaneously.
Usually when a user has two ISPs terminating on the ASA, the ASA is configured for ISP redundancy. However in some cases, the user would like to use both ISPs simutlaneously to send traffic.
In such a scenario, the best solution would be to use a router. Using route-maps on the router, one can configure the routing in such a way that only certain kind of traffic uses one ISP while the second ISP is used for other kinds of traffic. Although the ASA supports route-maps, because it wasn't designed to support extensive routing capabilities, there are quite a few features under route-maps like source-based routing, which are not supported by the ASA. If using a router is an option then the network would have to be redesigned as follows:
If however, this is not an option, then it is possible to configure a very crude form of "loadbalancing" on the ASA. The following two scenarios are ways in which both ISPs can be used simultaneously on the ASA:
1. Route traffic based on destination:
As I mentioned aboved, the ASA is not a load-balancer or a packet-shaper. However with the following commands on the ASA, we can route traffic to half the destinations on the internet using ISP1 and the other half using ISP2:
nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface
route ISP1 184.108.40.206 220.127.116.11 18.104.22.168 // creates a default route for addresses in the first half of the IPv4 spectrum
route ISP2 0.0.0.0 22.214.171.124 126.96.36.199// creates a default route for addresses in the second half of the IPv4 sepctrum
2. Route traffic based on destination ports:
By adding the configuration below, the ASA can be set up to send web traffic(http,https) out through ISP2 and all other traffic is sent through ISP1 as shown above.
Gartner has once again named Cisco a Leader in the Magic Quadrant for Network Firewalls. This distinction recognizes Cisco's ingenuity in redefining the firewall as the basis for an integrated security platform.
Find out how Cisco stands out from the comp...
Good Afternoon, We are looking at deploying FTD's and the it has been brought up that new policies are to be built as well. The concern is that deploying these new policies in a monitoring state to ensure it does not block valid t...
Our desktop team is upgrading W7 to W10 and after upgrading the old W7 to W10 I have observed on ISE 2.4 some of the attributes still reflects the old W7 machine and hence the machine won't get profiled accurately.Stale attribute example being AD-Fet...
Hello, I recenlty turned on the email logging feature. And I see a lot of ASA Alerts for Deny UDP reverse path from 169.254.x.x to 169.254.x.x to vlan(inside). Keep in mind, my level of experience is novice/noob. There are several of...