Solved

More than 2 ISPs for a ASA5505

Posted on 2011-09-07
8
1,236 Views
Last Modified: 2012-05-12
Hello Experts.

I have a particular customer who's network upon discovery is a complete mess. In order to maintain connectivity at their location they have 5 ISPs at one site. Rather than go the logical method of connecting 2 circuits to a device and allow it to make the decision of what ISP to route through, they have physically split their network up where computers in the same room will use different ISPs. In a warehouse there are 3 PCs on each of the 5 networks. This is their IT consultants idea of "redundancy". I will need to resolve this issue as I do not wish to support that type of network. My question to you all out there is would it be possible to setup more than 2 ISPs for on a Cisco asa 5505. In the past I have setup dual ISP configurations, but none more than 2. Currently they have a watch guard e750 in place, but I do not think that that firewall is capable of handling multiple ISPs in that type of config. Is there a way of configuring more than 2 ISPs on either the watchgaurd or a cisco 5505?
0
Comment
Question by:vtinfo
  • 3
  • 2
8 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 36497039
The 5505 with a sec plus licence has "dual isp"

Are they using the 5 connections for inbound or outbound connectivity ?

What type of connections are each of the 5 ? Would they be better off replacing four of them with a single connection "fatter" connection and having a backup connection ?

I do work for one place that has a 100mb fibre connection, with FTTC (40mb/10mb) and a WiMax (2mb) as backup connections, but this is on a 5510 active/passive HA pair.
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 36497168
I don't think the ASA has the ability to use more than 2 ISPs in an active/passive type of config.    With all ASAs, you can only have 1 default route to 1 ISP at a time, the 2nd ISP is always just for backup.   There is no load balancing at all.      
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 36497188
@MikeKane The 5510 (like all ASAs) cannot do load balancing, but having tracked routes appears to work fine for inbound and outbound NAT/PAT failing over across three connections in sequence.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 33

Expert Comment

by:MikeKane
ID: 36506510
@ ArneLovius -    Correct that you can add routes for specific subnets to other ISPs, however, you can ever only have 1 default route to 1 ISP out through 1 interface.    

So if you want to have dual 'outside' interfaces, each to a different ISP, only 1 of those interfaces can route 0.0.0.0 0.0.0.0.   The other can certainly route specific subnets, but not a catch-all route.    This also opens up other issues where the session can be establshed on 1 adapter, but the answer comes from another sourced IP....  secure apps don't like this much.    

0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 37485617
@MikeKane you can with route tracking, see http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

this provides you with multiple routes to 0.0.0.0 granted only one will be active at a time for outbound traffic, however you can connect to them for inbound traffic.
0
 

Author Closing Comment

by:vtinfo
ID: 37603739
Thank you for your response. Indeed the ASA can only use the two ISP connections at once. Luckily I had the site in questions re design their incredibly unorthodox network to use only the two connections.
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question