• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1960
  • Last Modified:

Configure multiple ISP links on a Cisco ASA 5520

Our organization currently has an ASA 5520 configured with a single ISP link.  We have purchased another circuit to provide redundancy.  The new link is actually a faster link, and we would like to configure this link as our primary, with the original serving as a backup.

I know the ASA allows configuration of a backup circuit with automatic failover based on tracking the primary route.  I know how to configure this.  But I'm afraid this is not going to work for us.

Here is my conundrum:  Although we wish to configure the new link as the primary link, we have one device that absolutely must continue to utilize the public IP Addresses provided by the ISP on the existing link.  This is the link that would be configured as the backup link.  I am afraid configuring this link as a backup will stop the ASA from forwarding this absolutely necessary traffic out the associated interface.  Can anyone confirm or deny this?

My second thought is to configure the ASA to utilize both links simultaneously.  I understand the ASA does not perform source based routing, nor does it perform load balancing.  However, this is not what I am looking to achieve.  My idea is to simply have both links enabled, then to create a default route that points to the primary link, while creating a static route that pushes all traffic associated with the device I mentioned before to the existing link.  Can the ASA effectively route traffic in this manner?  Is it possible to configure multiple ISP links to be availabe simultaneously in this, limited fashion?

My third idea is to install an upstream router with a single link to the ASA.  I could then terminate both circuits at this device, and create ACL's to direct traffic in the manner mentioned above.  This, however, would require the purchase of additional equipment, which I would like to avoid if at all possible.  

Thank you in advance!
0
firstbankak
Asked:
firstbankak
  • 2
  • 2
1 Solution
 
MikeKaneCommented:
<< Can anyone confirm or deny this? >>  Yes,   with the cisco firewall you can only have 1 default route to 1 ISP.   The ASA can only Fail-Over to the backup ISP, it can not do any load balancing.     Plus, remember that the fail over is only a change in the default route and outside interface.   So during a failover, all Static NATs will probably be offline, and any L2L VPN's will also be offline since all traffic is now routed through a new ISP's IP address block.  

Reference: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml


If you want load balancing, you will need a 3rd party device in front of the ASA.  

0
 
firstbankakAuthor Commented:
This device is configured in our disaster recovery center.  There are no other NAT rules to consider, beyond the one necessary for the aforementioned device which would need to communicate over the secondary link.  

Is it possible to configure only one default route to the primary link, and then configure a static route to the secondary link for this single communication stream?  Or can only one of the two interfaces forward traffic?

Thank you greatly for your input.

0
 
MikeKaneCommented:
You can't have 2 routes with destination of 0.0.0.0 0.0.0.0.    But if you want to have 1 ISP on the outside and 2nd ISP on a 2nd interface....   You can assign static routes to the 2nd ISP, so long as you have the destination as something other than 0.0.0.0.   So the 2nd interface can be used for 'known' destinations, but not all destinations.    So if you are after having all traffic for 1 server come in through the 2nd interface.... that's not going to happen.  But if you want all traffic from a 66.77.88.99 public ip come into the 2nd interface, you can assign a static route for that and that's do-able.

If you are looking for load balancing, you'll need a 3rd device in front of the ASA....
0
 
firstbankakAuthor Commented:
Thank you kindly.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now