ASA 5510 Prioritize traffic for DMZ

Currently, we have only a minimal 1.5/1.5Mbps Partial T1 dedicated to our office. There are about 15 users of the internet throughout the day. We also have a Cisco ASA that separates our internal network from our DMZ where our web server hosts our Apache/PHP/Mysql application. Our web usually has around 15 simultaneous users and lately, those users have been complaining a lot about speed issues. I have been monitoring the bandwidth usage throughout the days, and it seems that the internal network seems to demand and is granted most of the bandwidth, and the web application suffers for it.

I have a couple options here I think.

First option:
Keep both the internal network and DMZ using the same partial T1 but somehow allow the DMZ to have a higher priority to use the bandwidth whenever it is needed. I thought I was on the right track when I was trying to play with Priority Queues in the ASDM, but I was unable to really prevent the Inside from using all the bandwidth when the DMZ was demanding it at the same time. How else could I do this?

Second Option:
We also have a Business cable internet connection as a backup. For the internal network's demands, the business cable would actually be better since the download is much better. Is there a way to have dual ISP's connected to the ASA and have the inside interface's internet traffic always go through the Business cable while having the DMZ traffic going through the T1? I would imagine that I would need a better license on the firewall, but I am not sure about this either.

Are there any third or better options out there?

Any help is appreciated.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


You can create dynamic routes. Traffic from Internal goes to the Business cable and DMZ traffic goes to T1.

paul_ohmAuthor Commented:
Do I need a failover license for this ability? Can anyone else confirm that this is possible? I know that Policy Based Routing is not available on any ASAs, so does this not qualify as that?
I kind of have the same thing. I have 2 T1's and cable internet. And I have some policy maps set so that all traffic destined for port 80 and 443 from a specified subnet. Not sure if you can do it on the asa though. I have mine all going through a router.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
paul_ohmAuthor Commented:
ngaba, what you are doing is Policy Based Routing (PBR). I know that this is not possible on the ASA, at least for now. However, I do not need traffic to be routed based on protocol, but rather by interface. So all traffic from the inside interface would use one of the internet connections (Cable) and the DMZ would use only the T1. This seems more simple than policy based routing, I am just not sure if it can be done through multiple static routes or not.

Can anyone help me?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.