Solved

Two ISP's and Cisco 5510

Posted on 2012-12-27
5
645 Views
Last Modified: 2013-01-15
Hi- I will be upgrading the ISP for my site and I was wondering what the best way to do that would be, especially in regards to our email server. I've done some research and it appears that I can connect two live ISP connections to my Cisco ASA 5510, but that I can only have one ISP connection live at any one time --so basically one is active and the other is the failover. So basically, I have:

ISP A - Old ISP, which will be retired in 8 months
ISP A Public IP
ISP B - New ISP
ISP B Public IP

I have the live Cisco ASA 5510 and a spare Cisco ASA 5505.

What's the best process for this?
0
Comment
Question by:merker19
  • 2
  • 2
5 Comments
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
Configure for the average dual ISP scenario
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

You'll need to make sure you have all outside ACL's and NAT's lined up, but for the most part it's a straight-forward process. Make sure you are consoled in when making the routing (track) changes as it can remove the default route completely if anything isn't right.

As for the email server, make sure your NAT and ACL's are set correctly. You'll need both reverse DNS records to be created, and your MX records can have priority set to prefer your primary ISP.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
Comment Utility
better to put each ISP in different VRF like VRFA and VRFB and create IPSec tunnels over those vrf.

since you want to make Acitve/passive then use tunnel delay/BW properties.

like VRF A primary link TunnelA primary tunnel--delay 1000
VRF B secondary link TunnelB secondary tunnel-delay 5000
0
 

Author Comment

by:merker19
Comment Utility
My apologies. I didn't complete my request.

I've seen that I CAN do the active/failover configuration with tracking on the Cisco ASA 5510, but I would like to have a scenario where I can have both ISP's working at once with:

User Group A using ISP A
User Group B using ISP B

The email server is on the DMZ on ISP A. Would it be possible to make it accessible by ISP B as well? To aid in the migration of the MX record? Or is there a better way? Thanks.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 200 total points
Comment Utility
The ASA can't do policy based routing, so you can't get the ASA to have two "default" routes. If you were to configure for multiple contexts, each context could have it's own default route to allow you to utilize both ISP links at the same time. Each context would end up needed to be configured for ISP failover otherwise the loss of one ISP would mean the loss of connectivity for one whole group of users. This also means that each context requires a public IP on both ISP's so the ASA alone would take up 2 IP's per ISP.

As far as the outside world reaching the email server, the setup is pretty easy. You just need both reverse DNS records to be configured - there is nothing special that has to be done with this. Your MX records would end up like this. Let's say currently your MX record is mail.company.com with the default preference of 10. You would need to add an additional MX record of, say, mailbackup.company.com with a preference of 20. This way, any mail sent by you, regardless of which ISP it goes through, will have a correct reverse DNS record (both reverse records reference the primary mail.company.com, NOT mailbackup.company.com because you only have the one server). When someone send you email they will try the MX record with the lowest preference and if it times out it will try the next record in order of preference.
The email server/DMZ only needs to be in one of the existing contexts to be able to communicate with the outside world. The challenge will be communicating with internal machines. Your PBR would have to be able to direct that traffic appropriately, or your email server would need to have two interfaces - one with a default route for the internet, and the other connected internally with static routes to your private addresses.

Prior to users hitting the ASA you would have to come up with some way to either policy route, VRF, or separate via vlan to ensure that A users enter Context A and B users enter Context B. I assume you want users to be able to communicate with themselves directly so the vlan idea probably won't work and you'll end up needing to do PBR or VRF's with route sharing.

My personal recommendation would be to live with a failover-only scenario and don't bother with the headaches involved with getting an ASA to act like a load-balancing router/firewall, especially if you're getting rid of one of the ISP's in less than a year. It's a great idea in theory, but in practice it's pretty tough and comes with compromises.

Oh yeah... if you do multiple contexts you can no longer do remote access VPN, and a site-to-site vpn would end up needing one tunnel per context for each destination.
0
 

Author Closing Comment

by:merker19
Comment Utility
Thanks. It gives me some things to think about.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now