ASA 5510 Prioritize traffic for DMZ

Currently, we have only a minimal 1.5/1.5Mbps Partial T1 dedicated to our office. There are about 15 users of the internet throughout the day. We also have a Cisco ASA that separates our internal network from our DMZ where our web server hosts our Apache/PHP/Mysql application. Our web usually has around 15 simultaneous users and lately, those users have been complaining a lot about speed issues. I have been monitoring the bandwidth usage throughout the days, and it seems that the internal network seems to demand and is granted most of the bandwidth, and the web application suffers for it.

I have a couple options here I think.

First option:
Keep both the internal network and DMZ using the same partial T1 but somehow allow the DMZ to have a higher priority to use the bandwidth whenever it is needed. I thought I was on the right track when I was trying to play with Priority Queues in the ASDM, but I was unable to really prevent the Inside from using all the bandwidth when the DMZ was demanding it at the same time. How else could I do this?

Second Option:
We also have a Business cable internet connection as a backup. For the internal network's demands, the business cable would actually be better since the download is much better. Is there a way to have dual ISP's connected to the ASA and have the inside interface's internet traffic always go through the Business cable while having the DMZ traffic going through the T1? I would imagine that I would need a better license on the firewall, but I am not sure about this either.

Are there any third or better options out there?

Any help is appreciated.
Who is Participating?
ngabaConnect With a Mentor Commented:
I kind of have the same thing. I have 2 T1's and cable internet. And I have some policy maps set so that all traffic destined for port 80 and 443 from a specified subnet. Not sure if you can do it on the asa though. I have mine all going through a router.

You can create dynamic routes. Traffic from Internal goes to the Business cable and DMZ traffic goes to T1.

paul_ohmAuthor Commented:
Do I need a failover license for this ability? Can anyone else confirm that this is possible? I know that Policy Based Routing is not available on any ASAs, so does this not qualify as that?
paul_ohmAuthor Commented:
ngaba, what you are doing is Policy Based Routing (PBR). I know that this is not possible on the ASA, at least for now. However, I do not need traffic to be routed based on protocol, but rather by interface. So all traffic from the inside interface would use one of the internet connections (Cable) and the DMZ would use only the T1. This seems more simple than policy based routing, I am just not sure if it can be done through multiple static routes or not.

Can anyone help me?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.