Solved: Using ASA 5510 and router for dual WAN Connections.

ndaungwe · ‎11-30-2011

^{Guys, neeed some help here:}

^{Context:
1- My company has one ASA 5510 configured with Site-to-site VPN, Ipsec Cisco VPN and AnyConnect VPN.
2- We use ASA to connect to the single ISP (ISP 1) for internet access. ASA does all the NATing for internal users to go out.
3- A second link is coming in and we will be using ISP 2 to loadbalance traffic to internet (i.e. business traffic will go via ISP1 and “other” traffic will go via ISP2).
4- A router will be deployed in front of the ASA to terminate internet links.
5- No BGP should be used to implement policy (traffic X goes via ISP1, traffic Y goes via ISP2).
Questions:
How do I get this done, particularly, how do I tell the router, for traffic X use ISP1 and for traffic Y use ISP2? PBR is my friend?
Since I will be having 2 public Ip Addresses from the 2 ISPs, how do I NAT internal users to the 2 public Ip addresses ?.
Finally, which device should be doing the NATing? The ASA just like now or move NATing to the Router?
Thanks}

^Ndaungwe

mvsheik123 · ‎11-30-2011

Hi,

If both ISPs hand off is Ethernet, you may want to stick with 5510 and use any avalable interface as outside2. If not, then adding router will be the best bet. Lets see what experts suggests.

Thx

MS

View solution in original post

mvsheik123 · ‎11-30-2011

Hi,

If both ISPs hand off is Ethernet, you may want to stick with 5510 and use any avalable interface as outside2. If not, then adding router will be the best bet. Lets see what experts suggests.

Thx

MS

ndaungwe · ‎11-30-2011

mvsheik,

ASA connecting to the ISPs is ruled out as per my initial posting...

mvsheik123 · ‎11-30-2011

I misread it.. I was under impression that you want to buy router due to second ISP. If it is must to go with 'router' based solution, then you may be able to but all your NAT and other config may need to be moved to router and ASA may be just a transperant device. Wait for experts solutions.

Thx

MS

PS: Do not rate the posting 'correct' if the issue is not resolved. Majority may not read it :-).

ndaungwe · ‎12-01-2011

mvsheik,

Thanks for keeping on top of this...
still waiting for experts to confirm...in the meantime, can you send some basic config samples in terms of how this set up should look like? Can you address the issues regarding identifying business traffic and pointing it ti ISP1 and the rewst to ISP2.

Regards

ndaungwe

mvsheik123 · ‎12-01-2011

Hi,

Check the below link, it gives information on trasperant fw config and limilations. Based on the doc, you may need to move the VPN /anyconnect to router as well. From the routr end you may be able to set up static routes pointing to diff ISP based on traffic needs but this will be compleicated setup and can break things. Wait for other suggestions or if possible stick to ASA to terminate both links and still route the traffic to diff ISPs (Saves the router cost as well).

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

Thx

MS

ndaungwe · ‎12-01-2011

Mvsheik123
Thanks for the doc and feedback.Well, I found another doc, pretty straighforwrd, about ASA + Router config with Dual WAN connections. Cool stuff really and easy. There is a catch though!. In the doc, the guy uses private ip adresses but that really misses the point because what is the point of giving an example with private ip address (to make things simple the guy said...), when I trying to find a solution to connect to Internet? I can not use these ip addresses when I connecting with 2 ISPs...I would like to see an example with real public ips.

Ndaungwe

https://supportforums.cisco.com/docs/DOC-13015

mvsheik123 · ‎12-02-2011

Good.. you got the right info. I guess you are planning to move the existing ISP link to router as well. Did you talk to both ISPs and figure out what and how many IPs they assign?

Thx

MS

ndaungwe · ‎12-04-2011

While the document I sent to you is a good starting point, now the hard part begins.

I am onconfiguring the ASA to translate the routes but some of these routes are of this form:

permit tcp any any range 1000 3000

permit tcp any host 22.44.66.88 eq 443

How do you translate those rules?

Once I am done with that I willconfigure my router to tell it if traffic comes from this(translated ip add) send to ISP1....and if it comes from this other (translated ip add) send to ISP2.

Thanks

Ndaungwe

ndaungwe · ‎12-07-2011

Use an ACL to define the route and associate it with a static (inside,outside) access-list command.