I am looking into putting two different internet circuits for redundancy.

I am looking to install two circuits to the internet a 10mb up and down and a 16mb down and 2mb up and like to know if I just install the two circuits in two different routers with OSPF that his will work. Also, I have a WatchGuard Firewall but only has one WAN port, what is the recommendation to insure redundancy? I want to purchase a Cisco Concentrator to be able to do VPN, what impact will it have on this redundancy and how should this WAN be configured?
TonyEFAsked:
Who is Participating?
 
PugglewuggleConnect With a Mentor Commented:
Devangshroff - we already went over this. Not concurrently it won't.
Quoting from my previous post in this question:

"
The ASA 5505 will handle multiple ISPs with a Security Plus license.
The catch is that unfortunately, you cannot connect a PIX or ASA to two internet connections simultaneously - they can only be used for failover/backup in case one link goes down. What you need in this case is an edge router that has multiple WAN connections and can do load balancing. If you need a current product, I recommend the Cisco 2800 series routers very highly.

http://www.cisco.com/en/US/products/ps5854/ 

The bottom line is that ASAs and PIXes cannot load balance or support more than one concurrent WAN connection - the multiple ISP feature is only for backup in case the main line goes down. All load balancing must be done on a router.
"
0
 
firemanf29Commented:
OSPF should work fine.  However you really want a firewall to be the last device before each internet connection.  Some firewalls like Cisco have mulitple ports that can be configured as WAN ports and that would be your best solution.  I believe checkpoint allows that configuration also.  Have you asked Watchguard support if they support multiple WAN ports.  Sometimes a regular port can be reconfigured as a WAN pot.
 
0
 
TonyEFAuthor Commented:
I did ask WatchGuard and they the device I have does not support it. Can I put a data switch between the firewall and the the routers?
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
lrmooreCommented:
The Cisco VPN concentrator - AKA ASA5500 series firewall would ideally replace the WatchGuard and give you plenty of new options.
0
 
TonyEFAuthor Commented:
I am looking at the ASA5505.
0
 
lrmooreCommented:
The 5505 will not handle multiple ISP's but the 5510 will.
0
 
PugglewuggleCommented:
"The 5505 will not handle multiple ISP's but the 5510 will."
This is not correct. The ASA 5505 will handle multiple ISPs with a Security Plus license.
The catch is that unfortunately, you cannot connect a PIX or ASA to two internet connections simultaneously - they can only be used for failover/backup in case one link goes down. What you need in this case is an edge router that has multiple WAN connections and can do load balancing. If you need a current product, I recommend the Cisco 2800 series routers very highly.

http://www.cisco.com/en/US/products/ps5854/

The bottom line is that PIXes cannot load balance or support more than one concurrent WAN connection - the multiple ISP feature is only for backup in case the main line goes down. All load balancing must be done on a router.
0
 
PugglewuggleCommented:
BTW, the ASAs are wonderful devices. I've deployed about 20 and they work great! You'll love them too once you start using one. :-) Let me know if you have any questions about them.
0
 
devangshroffCommented:
best is to upgrade cisco ASA to version 7.2 this support wan failover

Or purchase a utm box like fortigate and sonicwall
0
 
lrmooreCommented:
Thanks, Pug. i keep forgetting that they've packed that much into that little 5505 package, but I still recommend the 5510 for anyone with more than 10-20 end users. I've still got my fingers crossed that soon the asa will indeed support multiple ISP connections at least with route-maps to semi-load share..
0
 
PugglewuggleCommented:
They just recommend it because it costs 4 to 10 times as much. Gotta love Cisco :-)
I wish they would bring in multiple WAN lines and BGP... but they won't. Too greedy. They want you to buy a router.
"best is to upgrade cisco ASA to version 7.2 this support wan failover" - nah... just download the newest 8.0.4. It has some very nice features and improved Site-to-Site VPN functionality. Not to mention the ASDM is a LOT better in 8.x
0
 
lrmooreCommented:
> it costs 4 to 10 times as much
Not really. 5505 SEC bundle = $1695, 5510 Base bundle = $3495 list
So, barely double for 10-times the capability out of the box and upgradable = better bang for the buck IMHO

0
 
PugglewuggleCommented:
Geez! where are you getting the price for the 5505? I pick them up for under $1000!ASA5505-SEC-BUN-K9
Add a CSC or AIP SSM to that 5510 and it's about 7k :-) And then add SmartNET.
:-P
0
 
lrmooreCommented:
Cisco LIST pricing.... Always at least 30-40% higher than street prices.
Yeah, but you CAN'T add CSC or AIP to a 5505 even if you wanted to, at least not yet.
0
 
PugglewuggleCommented:
Ah yes indeed. :-P I usually speak in terms of the street price.
I'm waiting for the SSC modules for the 5505 though! I think they're coming out with an IPS (AIP) one soon. I accidentally ran across a diagram of an SSC IPS module on Cisco's Japan website with Google search.
When the 5505 does IPS I'll be sooooo happy. :-D
0
 
devangshroffCommented:
5505 will also support multiple ISP .
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.