Two ISP's and Cisco 5510

Posted on 2012-12-27
Medium Priority
Last Modified: 2013-01-15
Hi- I will be upgrading the ISP for my site and I was wondering what the best way to do that would be, especially in regards to our email server. I've done some research and it appears that I can connect two live ISP connections to my Cisco ASA 5510, but that I can only have one ISP connection live at any one time --so basically one is active and the other is the failover. So basically, I have:

ISP A - Old ISP, which will be retired in 8 months
ISP A Public IP
ISP B Public IP

I have the live Cisco ASA 5510 and a spare Cisco ASA 5505.

What's the best process for this?
Question by:merker19
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 20

Expert Comment

ID: 38725567
Configure for the average dual ISP scenario

You'll need to make sure you have all outside ACL's and NAT's lined up, but for the most part it's a straight-forward process. Make sure you are consoled in when making the routing (track) changes as it can remove the default route completely if anything isn't right.

As for the email server, make sure your NAT and ACL's are set correctly. You'll need both reverse DNS records to be created, and your MX records can have priority set to prefer your primary ISP.

Expert Comment

by:Sandeep Gupta
ID: 38726338
better to put each ISP in different VRF like VRFA and VRFB and create IPSec tunnels over those vrf.

since you want to make Acitve/passive then use tunnel delay/BW properties.

like VRF A primary link TunnelA primary tunnel--delay 1000
VRF B secondary link TunnelB secondary tunnel-delay 5000

Author Comment

ID: 38726926
My apologies. I didn't complete my request.

I've seen that I CAN do the active/failover configuration with tracking on the Cisco ASA 5510, but I would like to have a scenario where I can have both ISP's working at once with:

User Group A using ISP A
User Group B using ISP B

The email server is on the DMZ on ISP A. Would it be possible to make it accessible by ISP B as well? To aid in the migration of the MX record? Or is there a better way? Thanks.
LVL 20

Accepted Solution

rauenpc earned 400 total points
ID: 38727119
The ASA can't do policy based routing, so you can't get the ASA to have two "default" routes. If you were to configure for multiple contexts, each context could have it's own default route to allow you to utilize both ISP links at the same time. Each context would end up needed to be configured for ISP failover otherwise the loss of one ISP would mean the loss of connectivity for one whole group of users. This also means that each context requires a public IP on both ISP's so the ASA alone would take up 2 IP's per ISP.

As far as the outside world reaching the email server, the setup is pretty easy. You just need both reverse DNS records to be configured - there is nothing special that has to be done with this. Your MX records would end up like this. Let's say currently your MX record is mail.company.com with the default preference of 10. You would need to add an additional MX record of, say, mailbackup.company.com with a preference of 20. This way, any mail sent by you, regardless of which ISP it goes through, will have a correct reverse DNS record (both reverse records reference the primary mail.company.com, NOT mailbackup.company.com because you only have the one server). When someone send you email they will try the MX record with the lowest preference and if it times out it will try the next record in order of preference.
The email server/DMZ only needs to be in one of the existing contexts to be able to communicate with the outside world. The challenge will be communicating with internal machines. Your PBR would have to be able to direct that traffic appropriately, or your email server would need to have two interfaces - one with a default route for the internet, and the other connected internally with static routes to your private addresses.

Prior to users hitting the ASA you would have to come up with some way to either policy route, VRF, or separate via vlan to ensure that A users enter Context A and B users enter Context B. I assume you want users to be able to communicate with themselves directly so the vlan idea probably won't work and you'll end up needing to do PBR or VRF's with route sharing.

My personal recommendation would be to live with a failover-only scenario and don't bother with the headaches involved with getting an ASA to act like a load-balancing router/firewall, especially if you're getting rid of one of the ISP's in less than a year. It's a great idea in theory, but in practice it's pretty tough and comes with compromises.

Oh yeah... if you do multiple contexts you can no longer do remote access VPN, and a site-to-site vpn would end up needing one tunnel per context for each destination.

Author Closing Comment

ID: 38779517
Thanks. It gives me some things to think about.

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Suggested Courses
Course of the Month9 days, 9 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question