Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1243
  • Last Modified:

More than 2 ISPs for a ASA5505

Hello Experts.

I have a particular customer who's network upon discovery is a complete mess. In order to maintain connectivity at their location they have 5 ISPs at one site. Rather than go the logical method of connecting 2 circuits to a device and allow it to make the decision of what ISP to route through, they have physically split their network up where computers in the same room will use different ISPs. In a warehouse there are 3 PCs on each of the 5 networks. This is their IT consultants idea of "redundancy". I will need to resolve this issue as I do not wish to support that type of network. My question to you all out there is would it be possible to setup more than 2 ISPs for on a Cisco asa 5505. In the past I have setup dual ISP configurations, but none more than 2. Currently they have a watch guard e750 in place, but I do not think that that firewall is capable of handling multiple ISPs in that type of config. Is there a way of configuring more than 2 ISPs on either the watchgaurd or a cisco 5505?
0
vtinfo
Asked:
vtinfo
  • 3
  • 2
1 Solution
 
ArneLoviusCommented:
The 5505 with a sec plus licence has "dual isp"

Are they using the 5 connections for inbound or outbound connectivity ?

What type of connections are each of the 5 ? Would they be better off replacing four of them with a single connection "fatter" connection and having a backup connection ?

I do work for one place that has a 100mb fibre connection, with FTTC (40mb/10mb) and a WiMax (2mb) as backup connections, but this is on a 5510 active/passive HA pair.
0
 
MikeKaneCommented:
I don't think the ASA has the ability to use more than 2 ISPs in an active/passive type of config.    With all ASAs, you can only have 1 default route to 1 ISP at a time, the 2nd ISP is always just for backup.   There is no load balancing at all.      
0
 
ArneLoviusCommented:
@MikeKane The 5510 (like all ASAs) cannot do load balancing, but having tracked routes appears to work fine for inbound and outbound NAT/PAT failing over across three connections in sequence.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
MikeKaneCommented:
@ ArneLovius -    Correct that you can add routes for specific subnets to other ISPs, however, you can ever only have 1 default route to 1 ISP out through 1 interface.    

So if you want to have dual 'outside' interfaces, each to a different ISP, only 1 of those interfaces can route 0.0.0.0 0.0.0.0.   The other can certainly route specific subnets, but not a catch-all route.    This also opens up other issues where the session can be establshed on 1 adapter, but the answer comes from another sourced IP....  secure apps don't like this much.    

0
 
ArneLoviusCommented:
@MikeKane you can with route tracking, see http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

this provides you with multiple routes to 0.0.0.0 granted only one will be active at a time for outbound traffic, however you can connect to them for inbound traffic.
0
 
vtinfoAuthor Commented:
Thank you for your response. Indeed the ASA can only use the two ISP connections at once. Luckily I had the site in questions re design their incredibly unorthodox network to use only the two connections.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now