Configure multiple ISP links on a Cisco ASA 5520

Our organization currently has an ASA 5520 configured with a single ISP link.  We have purchased another circuit to provide redundancy.  The new link is actually a faster link, and we would like to configure this link as our primary, with the original serving as a backup.

I know the ASA allows configuration of a backup circuit with automatic failover based on tracking the primary route.  I know how to configure this.  But I'm afraid this is not going to work for us.

Here is my conundrum:  Although we wish to configure the new link as the primary link, we have one device that absolutely must continue to utilize the public IP Addresses provided by the ISP on the existing link.  This is the link that would be configured as the backup link.  I am afraid configuring this link as a backup will stop the ASA from forwarding this absolutely necessary traffic out the associated interface.  Can anyone confirm or deny this?

My second thought is to configure the ASA to utilize both links simultaneously.  I understand the ASA does not perform source based routing, nor does it perform load balancing.  However, this is not what I am looking to achieve.  My idea is to simply have both links enabled, then to create a default route that points to the primary link, while creating a static route that pushes all traffic associated with the device I mentioned before to the existing link.  Can the ASA effectively route traffic in this manner?  Is it possible to configure multiple ISP links to be availabe simultaneously in this, limited fashion?

My third idea is to install an upstream router with a single link to the ASA.  I could then terminate both circuits at this device, and create ACL's to direct traffic in the manner mentioned above.  This, however, would require the purchase of additional equipment, which I would like to avoid if at all possible.  

Thank you in advance!
firstbankakAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
<< Can anyone confirm or deny this? >>  Yes,   with the cisco firewall you can only have 1 default route to 1 ISP.   The ASA can only Fail-Over to the backup ISP, it can not do any load balancing.     Plus, remember that the fail over is only a change in the default route and outside interface.   So during a failover, all Static NATs will probably be offline, and any L2L VPN's will also be offline since all traffic is now routed through a new ISP's IP address block.  

Reference: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml


If you want load balancing, you will need a 3rd party device in front of the ASA.  

0
firstbankakAuthor Commented:
This device is configured in our disaster recovery center.  There are no other NAT rules to consider, beyond the one necessary for the aforementioned device which would need to communicate over the secondary link.  

Is it possible to configure only one default route to the primary link, and then configure a static route to the secondary link for this single communication stream?  Or can only one of the two interfaces forward traffic?

Thank you greatly for your input.

0
MikeKaneCommented:
You can't have 2 routes with destination of 0.0.0.0 0.0.0.0.    But if you want to have 1 ISP on the outside and 2nd ISP on a 2nd interface....   You can assign static routes to the 2nd ISP, so long as you have the destination as something other than 0.0.0.0.   So the 2nd interface can be used for 'known' destinations, but not all destinations.    So if you are after having all traffic for 1 server come in through the 2nd interface.... that's not going to happen.  But if you want all traffic from a 66.77.88.99 public ip come into the 2nd interface, you can assign a static route for that and that's do-able.

If you are looking for load balancing, you'll need a 3rd device in front of the ASA....
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
firstbankakAuthor Commented:
Thank you kindly.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.