[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Two ISP's and Cisco 5510

Posted on 2012-12-27
Medium Priority
Last Modified: 2013-01-15
Hi- I will be upgrading the ISP for my site and I was wondering what the best way to do that would be, especially in regards to our email server. I've done some research and it appears that I can connect two live ISP connections to my Cisco ASA 5510, but that I can only have one ISP connection live at any one time --so basically one is active and the other is the failover. So basically, I have:

ISP A - Old ISP, which will be retired in 8 months
ISP A Public IP
ISP B Public IP

I have the live Cisco ASA 5510 and a spare Cisco ASA 5505.

What's the best process for this?
Question by:merker19
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 20

Expert Comment

ID: 38725567
Configure for the average dual ISP scenario

You'll need to make sure you have all outside ACL's and NAT's lined up, but for the most part it's a straight-forward process. Make sure you are consoled in when making the routing (track) changes as it can remove the default route completely if anything isn't right.

As for the email server, make sure your NAT and ACL's are set correctly. You'll need both reverse DNS records to be created, and your MX records can have priority set to prefer your primary ISP.

Expert Comment

by:Sandeep Gupta
ID: 38726338
better to put each ISP in different VRF like VRFA and VRFB and create IPSec tunnels over those vrf.

since you want to make Acitve/passive then use tunnel delay/BW properties.

like VRF A primary link TunnelA primary tunnel--delay 1000
VRF B secondary link TunnelB secondary tunnel-delay 5000

Author Comment

ID: 38726926
My apologies. I didn't complete my request.

I've seen that I CAN do the active/failover configuration with tracking on the Cisco ASA 5510, but I would like to have a scenario where I can have both ISP's working at once with:

User Group A using ISP A
User Group B using ISP B

The email server is on the DMZ on ISP A. Would it be possible to make it accessible by ISP B as well? To aid in the migration of the MX record? Or is there a better way? Thanks.
LVL 20

Accepted Solution

rauenpc earned 400 total points
ID: 38727119
The ASA can't do policy based routing, so you can't get the ASA to have two "default" routes. If you were to configure for multiple contexts, each context could have it's own default route to allow you to utilize both ISP links at the same time. Each context would end up needed to be configured for ISP failover otherwise the loss of one ISP would mean the loss of connectivity for one whole group of users. This also means that each context requires a public IP on both ISP's so the ASA alone would take up 2 IP's per ISP.

As far as the outside world reaching the email server, the setup is pretty easy. You just need both reverse DNS records to be configured - there is nothing special that has to be done with this. Your MX records would end up like this. Let's say currently your MX record is mail.company.com with the default preference of 10. You would need to add an additional MX record of, say, mailbackup.company.com with a preference of 20. This way, any mail sent by you, regardless of which ISP it goes through, will have a correct reverse DNS record (both reverse records reference the primary mail.company.com, NOT mailbackup.company.com because you only have the one server). When someone send you email they will try the MX record with the lowest preference and if it times out it will try the next record in order of preference.
The email server/DMZ only needs to be in one of the existing contexts to be able to communicate with the outside world. The challenge will be communicating with internal machines. Your PBR would have to be able to direct that traffic appropriately, or your email server would need to have two interfaces - one with a default route for the internet, and the other connected internally with static routes to your private addresses.

Prior to users hitting the ASA you would have to come up with some way to either policy route, VRF, or separate via vlan to ensure that A users enter Context A and B users enter Context B. I assume you want users to be able to communicate with themselves directly so the vlan idea probably won't work and you'll end up needing to do PBR or VRF's with route sharing.

My personal recommendation would be to live with a failover-only scenario and don't bother with the headaches involved with getting an ASA to act like a load-balancing router/firewall, especially if you're getting rid of one of the ISP's in less than a year. It's a great idea in theory, but in practice it's pretty tough and comes with compromises.

Oh yeah... if you do multiple contexts you can no longer do remote access VPN, and a site-to-site vpn would end up needing one tunnel per context for each destination.

Author Closing Comment

ID: 38779517
Thanks. It gives me some things to think about.

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question