Solved

Two ISP's and Cisco 5510

Posted on 2012-12-27
5
649 Views
Last Modified: 2013-01-15
Hi- I will be upgrading the ISP for my site and I was wondering what the best way to do that would be, especially in regards to our email server. I've done some research and it appears that I can connect two live ISP connections to my Cisco ASA 5510, but that I can only have one ISP connection live at any one time --so basically one is active and the other is the failover. So basically, I have:

ISP A - Old ISP, which will be retired in 8 months
ISP A Public IP
ISP B - New ISP
ISP B Public IP

I have the live Cisco ASA 5510 and a spare Cisco ASA 5505.

What's the best process for this?
0
Comment
Question by:merker19
  • 2
  • 2
5 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38725567
Configure for the average dual ISP scenario
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

You'll need to make sure you have all outside ACL's and NAT's lined up, but for the most part it's a straight-forward process. Make sure you are consoled in when making the routing (track) changes as it can remove the default route completely if anything isn't right.

As for the email server, make sure your NAT and ACL's are set correctly. You'll need both reverse DNS records to be created, and your MX records can have priority set to prefer your primary ISP.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38726338
better to put each ISP in different VRF like VRFA and VRFB and create IPSec tunnels over those vrf.

since you want to make Acitve/passive then use tunnel delay/BW properties.

like VRF A primary link TunnelA primary tunnel--delay 1000
VRF B secondary link TunnelB secondary tunnel-delay 5000
0
 

Author Comment

by:merker19
ID: 38726926
My apologies. I didn't complete my request.

I've seen that I CAN do the active/failover configuration with tracking on the Cisco ASA 5510, but I would like to have a scenario where I can have both ISP's working at once with:

User Group A using ISP A
User Group B using ISP B

The email server is on the DMZ on ISP A. Would it be possible to make it accessible by ISP B as well? To aid in the migration of the MX record? Or is there a better way? Thanks.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 200 total points
ID: 38727119
The ASA can't do policy based routing, so you can't get the ASA to have two "default" routes. If you were to configure for multiple contexts, each context could have it's own default route to allow you to utilize both ISP links at the same time. Each context would end up needed to be configured for ISP failover otherwise the loss of one ISP would mean the loss of connectivity for one whole group of users. This also means that each context requires a public IP on both ISP's so the ASA alone would take up 2 IP's per ISP.

As far as the outside world reaching the email server, the setup is pretty easy. You just need both reverse DNS records to be configured - there is nothing special that has to be done with this. Your MX records would end up like this. Let's say currently your MX record is mail.company.com with the default preference of 10. You would need to add an additional MX record of, say, mailbackup.company.com with a preference of 20. This way, any mail sent by you, regardless of which ISP it goes through, will have a correct reverse DNS record (both reverse records reference the primary mail.company.com, NOT mailbackup.company.com because you only have the one server). When someone send you email they will try the MX record with the lowest preference and if it times out it will try the next record in order of preference.
The email server/DMZ only needs to be in one of the existing contexts to be able to communicate with the outside world. The challenge will be communicating with internal machines. Your PBR would have to be able to direct that traffic appropriately, or your email server would need to have two interfaces - one with a default route for the internet, and the other connected internally with static routes to your private addresses.

Prior to users hitting the ASA you would have to come up with some way to either policy route, VRF, or separate via vlan to ensure that A users enter Context A and B users enter Context B. I assume you want users to be able to communicate with themselves directly so the vlan idea probably won't work and you'll end up needing to do PBR or VRF's with route sharing.

My personal recommendation would be to live with a failover-only scenario and don't bother with the headaches involved with getting an ASA to act like a load-balancing router/firewall, especially if you're getting rid of one of the ISP's in less than a year. It's a great idea in theory, but in practice it's pretty tough and comes with compromises.

Oh yeah... if you do multiple contexts you can no longer do remote access VPN, and a site-to-site vpn would end up needing one tunnel per context for each destination.
0
 

Author Closing Comment

by:merker19
ID: 38779517
Thanks. It gives me some things to think about.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Read this checklist to learn more about the 15 things you should never include in an email signature.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video discusses moving either the default database or any database to a new volume.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question