cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3818
Views
15
Helpful
4
Comments
Tanveer Deewan
Cisco Employee
Cisco Employee

If you have two ISPs and you want to use the first one for outbound internet access for hosts on your inside network and use the second ISP for people on the internet to access your servers.

dual_isp.JPG

interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/1
nameif backup
security-level 0
ip address 2.2.2.1 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/3
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,backup) 2.2.2.4 172.16.1.2 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 1.1.1.3 1
route backup 0.0.0.0 0.0.0.0 2.2.2.2 2

Comments
csco10716389
Level 1
Level 1

Tanveer,

It is possble put specific route rather than default for both the routes.

Nat is ok for (Inside,Outside) and (DMZ,Backup) ......u have to add specific route for accesing the backup link from DMZ or on the firewall.....thanks

Tanveer Deewan
Cisco Employee
Cisco Employee

We don't need and can't have a specific route as the source of inbound traffic can be anyone on the internet. The configuration is tested and it works fine. This is not my question but more of a sample configuration for anyone to use.

manfernandez
Level 1
Level 1

Tanveer,

Wouldn't this load balance accross both thos equal cost routes?  You would need some sort of PBR which I believe is not available (https://supportforums.cisco.com/docs/DOC-6069;jsessionid=8271C313440757D113FACC1737C6CABE.node0 ) else the packet would have issues on the other end becuase the remote firewall would send a SYN to ISP B's NATed Address and when the Server responds, it will be through ISP A's IP hence on the remote end would look like an out of state packet and would be dropped.

I could be wrong though.

Tanveer Deewan
Cisco Employee
Cisco Employee

route outside 0.0.0.0 0.0.0.0 1.1.1.3 1
route backup 0.0.0.0 0.0.0.0 2.2.2.2 2

The backup route has a higher metric so it will not show in the routing table. However it does exist in the 'topology table' in the ASA. Use ' sh asp table routing' to verify that.

When the SYN packet from client on internet hits the 'backup' interface of the ASA, it forwards that to the server in DMZ and builds a state/connection table for that. The return SYN-ACK packet from the server is routed based on the existing connection. This is when the 'backup' route with higher metric comes in play and the ASA forwards the packet to 2.2.2.2 device.

In short, this will only work for connections that are initiated from Internet destined to the backup interface subnet.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: