Hello experts, I have come to this great site in search of network design advice. I have an ASA 5510 stateful failover pair (active/standby) running in single context routed mode. The outside interface is part of an ISP (ISP1) provided public subnet with a layer 2 connection to an ISP managed router. All NAT takes place within the ASA. All our external services reside on the ISP1 subnet: DNS, SMTP, HTTP, VPN, etc.
I have 2 other ISP links that we would like to utilize outside the ASA. ISP2 will replace ISP1. ISP3 would ideally be used exclusively for outbound requests (web browsing).
A wrench in the works is that we are 24/7 so minimizing downtime during this migration will be paramount. I would like to avoid a hot cut if at all possible. My first thought was to add subinterfaces on the outside interface then dot1q trunk to 3 external vlans - one for each ISP. This would allow me to transition external services at my convenience but I wasn't sure about how to deal with the outbound routing. I read this from the ASA CLI guide http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_static.html
You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry.
If you attempt to define more than three equal cost default routes, or if you attempt to define a default route with a different interface than a previously defined default route, you receive the following message:
"ERROR: Cannot add route entry, possible conflict with existing routes."
First of all I'm not sure if I can or would want to put default routes out different subinterfaces - has anyone done this or attempted it in a lab? It's important that return traffic follow the same path as inbound, right?
I may opt for a single router for the ISP2 & 3 connections which would simplify the default route out of the ASA in the long term, but how would I make the transition off ISP1?
I can put a layer 3 switch outside the ASA but am running into the same mental roadblock with the outbound default route.
Any advice would be greatly appreciated regarding my design and transition plan. Thanks!