Cisco ASA 5505 with WAN Failover

I will be setting up a Cisco ASA 5505 (with security plus license) to handle to ISP connections: one active and the other standby for failover. I have found examples on how to do this with (this one is great:http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml) but they are using software version 7.x . I have also found Cisco official configuration examples using software version 8.x (see: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml) but they require the use of two ASA units where I will only be using one.

I need to know how I am going to do this with software version 8.x with one device but I am having trouble finding proper documentation or examples.  Anyone?
twinstatevdvAsked:
Who is Participating?
 
kevinhsiehCommented:
Your first link looks correct. Many of the guides haven't been updated for 8.x, which is okay because much of the syntax hasn't changed. I use multiple ISP with tracking to handle ISP failover. It works great because even though I May have a .GP route from my ISP, they may not have good connectivity to the Internet. The second link you found is for clustering two ASA, which is different than having multiple ISP. Note that having multiple ISP will allow you to maintain outbound connectivity, when you fail over your public IPOD addresses will change
0
 
kevinhsiehCommented:
That is your public IP addresses will change and inbound connections will fail unless they get directed to the new addresses. Inbound mail is easy because you can just add MX records to DNS.
0
 
kevinhsiehCommented:
For other connections, a service like DNS Made Easy can monitor your servers and change the A records in DNS to point to the new ISP when appropriate, and then change them back to the original ISP when it comes back up. I use them and it works very well, especially for the price. Otherwise you need a global load balancer.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
twinstatevdvAuthor Commented:
thank you very much for the valuable input. I was supposed to be installing the equipment today but it got delayed until next week for which I am glad to I can mull over your comments.

I do have a related question. I will be setting up SSL VPN on this firewall as well and wonder if I have to make any special accomodations during the setup because of the two links. For example, if the main link goes down and the standby becomes active, will users be able to vpn to the standby IP address?

If I am lucky I don't have to do anything beyond telling them start their vpn connections using a different IP address; I could even use the DNS tool you mentioned to redirect vpn.acme.com to the alternate IP. Lemme know.
0
 
kevinhsiehCommented:
What I have is a regular router for my main ISP. My secondary ISP IS Comcast and that router does NAT. If you use DNS Made Easy then users can just use the URL vpn.company.com and they will get the correct IP address.
0
 
twinstatevdvAuthor Commented:
I am finally working with the customer and things got more complicated. They don't use 1 ISP as primary and the other as standby. They currently have 2 seperate firewalls (pix 501 and 506) and internally their servers use one as a gateway and the user population uses the other as a gateway. That is to say, one internet connection is only for specific traffic designated for the servers and the other is for public internet access.

Currently those two firewalls have different IP addresses (let's say 10.0.0.1 and 10.0.0.254) which makes routing easy: just specify one gateway or the other on the machine based on your need. How do I accomplish this with one ASA5505?

Can I assign multiple internal IPs (the same as above) to the ASA 5505 (either to the same interface or to seperate ones) or can I only use one?

If I can only use one, how do I tell certain requests for internet access to go out one ISP or the other? Can I do that based on the source IP?

Help!!!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.