Link to home
Start Free TrialLog in
Avatar of beardog1113
beardog1113Flag for China

asked on

dual ISP on Cisco ASA firewall

hello expert
there are two ISP circuit connected with my ASA, i want make internal users from different VLAN to access internet through different ISP, below is the configuration on the ASA but looks like it doesn't work, only vlan2 users could access internet, so i need your suggestions.

thank you

interface Ethernet0
 duplex full
 nameif outside
 security-level 0
 ip address 119.x.x.x
interface Ethernet1
 nameif inside
 security-level 100
 ip address

interface Ethernet5
 duplex full
 nameif outside2
 security-level 0
 ip address 59.x.x.x

access-list vlan2 extended permit ip any
access-list vlan3 extended permit ip any

global (outside) 1 interface
global (outside2) 2 interface
nat (inside) 1 access-list vlan2
nat (inside) 2 access-list vlan3

route outside 119.x.x.y 1
route outside2 59.x.x.y 2
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Mmm that looks like it should work - does the unit have a Security Plus Licence?
Avatar of beardog1113


PIX-01# sh ver

Cisco PIX Security Appliance Software Version 8.0(4)28
Device Manager Version 6.0(3)

Compiled on Wed 18-Mar-09 16:28 by builders
System image file is "flash:/pix804-28.bin"
Config file at boot was "startup-config"

PIX-01 up 36 days 2 hours

Hardware:   PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
 0: Ext: Ethernet0           : address is 0012.7fa6.9f5a, irq 10
 1: Ext: Ethernet1           : address is 0012.7fa6.9f5b, irq 11
 2: Ext: Ethernet2           : address is 000d.88ef.86d0, irq 11
 3: Ext: Ethernet3           : address is 000d.88ef.86d1, irq 10
 4: Ext: Ethernet4           : address is 000d.88ef.86d2, irq 9
 5: Ext: Ethernet5           : address is 000d.88ef.86d3, irq 5

Licensed features for this platform:
Maximum Physical Interfaces  : 10        
Maximum VLANs                : 100      
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Cut-through Proxy            : Enabled  
Guards                       : Enabled  
URL Filtering                : Enabled  
Security Contexts            : 2        
GTP/GPRS                     : Disabled  
VPN Peers                    : Unlimited

This platform has an Unrestricted (UR) license.

Serial Number: 809011166
Running Activation Key: 0xbccda1ab 0xbba07731 0xa39a8e84 0xa15e7818
Configuration last modified by enable_15 at 15:00:17.078 gmt Wed Jul 11 2012
Avatar of harbor235
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Personally, I use a router on the outside of my ASA to route traffic to different ISPs. The router uses PBR to route the traffic to one ISP or the other, depending upon what the source (NAT) IP address is. The router also does checking to make sure that the route is actually available all the way to the Internet before forwarding traffic to that router. This way, I can send bulk web browsing traffic and such through Comcast, and then send important traffic through my regular ISP. If Comcast is down, traffic goes out my primary ISP. If my primary ISP is down, traffic goes out Comcast. I have the ASA tracking IP addresses also for routes so that my Cisco WAN router is primary, but if that equipment dies then traffic can go out Comcast, so I pretty much always have Internet connectivity regardless of any particular router or WAN connection dying, as long as there is a way out my equipment will use it automatically.
yes, this is what i need.