Solved

More than 2 ISPs for a ASA5505

Posted on 2011-09-07
8
1,232 Views
Last Modified: 2012-05-12
Hello Experts.

I have a particular customer who's network upon discovery is a complete mess. In order to maintain connectivity at their location they have 5 ISPs at one site. Rather than go the logical method of connecting 2 circuits to a device and allow it to make the decision of what ISP to route through, they have physically split their network up where computers in the same room will use different ISPs. In a warehouse there are 3 PCs on each of the 5 networks. This is their IT consultants idea of "redundancy". I will need to resolve this issue as I do not wish to support that type of network. My question to you all out there is would it be possible to setup more than 2 ISPs for on a Cisco asa 5505. In the past I have setup dual ISP configurations, but none more than 2. Currently they have a watch guard e750 in place, but I do not think that that firewall is capable of handling multiple ISPs in that type of config. Is there a way of configuring more than 2 ISPs on either the watchgaurd or a cisco 5505?
0
Comment
Question by:vtinfo
  • 3
  • 2
8 Comments
 
LVL 36

Expert Comment

by:ArneLovius
ID: 36497039
The 5505 with a sec plus licence has "dual isp"

Are they using the 5 connections for inbound or outbound connectivity ?

What type of connections are each of the 5 ? Would they be better off replacing four of them with a single connection "fatter" connection and having a backup connection ?

I do work for one place that has a 100mb fibre connection, with FTTC (40mb/10mb) and a WiMax (2mb) as backup connections, but this is on a 5510 active/passive HA pair.
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 36497168
I don't think the ASA has the ability to use more than 2 ISPs in an active/passive type of config.    With all ASAs, you can only have 1 default route to 1 ISP at a time, the 2nd ISP is always just for backup.   There is no load balancing at all.      
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 36497188
@MikeKane The 5510 (like all ASAs) cannot do load balancing, but having tracked routes appears to work fine for inbound and outbound NAT/PAT failing over across three connections in sequence.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 33

Expert Comment

by:MikeKane
ID: 36506510
@ ArneLovius -    Correct that you can add routes for specific subnets to other ISPs, however, you can ever only have 1 default route to 1 ISP out through 1 interface.    

So if you want to have dual 'outside' interfaces, each to a different ISP, only 1 of those interfaces can route 0.0.0.0 0.0.0.0.   The other can certainly route specific subnets, but not a catch-all route.    This also opens up other issues where the session can be establshed on 1 adapter, but the answer comes from another sourced IP....  secure apps don't like this much.    

0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 37485617
@MikeKane you can with route tracking, see http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

this provides you with multiple routes to 0.0.0.0 granted only one will be active at a time for outbound traffic, however you can connect to them for inbound traffic.
0
 

Author Closing Comment

by:vtinfo
ID: 37603739
Thank you for your response. Indeed the ASA can only use the two ISP connections at once. Luckily I had the site in questions re design their incredibly unorthodox network to use only the two connections.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now