To configure the ASA to send traffic through both ISPs simultaneously.
Usually when a user has two ISPs terminating on the ASA, the ASA is configured for ISP redundancy. However in some cases, the user would like to use both ISPs simutlaneously to send traffic.
In such a scenario, the best solution would be to use a router. Using route-maps on the router, one can configure the routing in such a way that only certain kind of traffic uses one ISP while the second ISP is used for other kinds of traffic. Although the ASA supports route-maps, because it wasn't designed to support extensive routing capabilities, there are quite a few features under route-maps like source-based routing, which are not supported by the ASA. If using a router is an option then the network would have to be redesigned as follows:
If however, this is not an option, then it is possible to configure a very crude form of "loadbalancing" on the ASA. The following two scenarios are ways in which both ISPs can be used simultaneously on the ASA:
1. Route traffic based on destination:
As I mentioned aboved, the ASA is not a load-balancer or a packet-shaper. However with the following commands on the ASA, we can route traffic to half the destinations on the internet using ISP1 and the other half using ISP2:
nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface
route ISP1 188.8.131.52 184.108.40.206 220.127.116.11 // creates a default route for addresses in the first half of the IPv4 spectrum
route ISP2 0.0.0.0 18.104.22.168 22.214.171.124// creates a default route for addresses in the second half of the IPv4 sepctrum
2. Route traffic based on destination ports:
By adding the configuration below, the ASA can be set up to send web traffic(http,https) out through ISP2 and all other traffic is sent through ISP1 as shown above.
hi,i can't seem to issue 'failover exec mate' commands from primary ASA FW and i can only SSH to the secondary FW using the 'local' username and not via ISE/TACACS.the 'show failover' output seems fine and i can ping each other's failover IP and ping TACA...
Hi guys,In order to reduce the amount of policies that I need to configure on my security router, I'd like to be able to reuse policies for multiple zone-pairs, including for the self zone.But if I configure a zone-pair that includes the self zone, and tr...
One of our customers (National TV Channel) is in the process of a new ISE deployment and as part of moving to a new building they will also deploy a Lobby Ambassador Ticketing System (the typical tablets at the office lobby where visitors c...
Hi Everyone, There are 3 tunnel-groups i have setup as attached. Because the AnyConnect VPN is for mobile users, and i want the end-user experience to be as seamless as possible. Is there a way that i can "pre-select/choose" the "City Of ...