Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1944
  • Last Modified:

Cisco ASA5505 with Two Internet Connections

I am attempting to setup a new Cisco ASA5505 Firewall.

I have two DSL connections.  What I am trying to accomplish is have everyone on the network connecting through one DSL Connection and then have the second DSL used for my servers (email,web, etc).

Do I need the security plus bundle and DMZ capability?  Or can it be done without it?  I'm not looking for failover, just the ability to have both connections operational and have some port forwards through one DSL and other port forwards through DSL2.

I have setup my 0/0 interface with the first internet connection and have it operational.

I have tried setting up 0/1 as the second interface and then setting up Access Control and NAT rules on the second interface but I just can't figure it out.
Any help will be greatly appreciated.
0
truth_talker
Asked:
truth_talker
1 Solution
 
Marius GunnerudSenior Systems EngineerCommented:
yes you will need the security plus license to enable use of the 3rd VLAN.

for interface 0/1 are you trying to set that up for the LAN?  When you say you cant figure it out, could you please explane a little more of what is going wrong.

What version of ASA are you running?
0
 
lrmooreCommented:
You cannot use dual external connections for anything other than failover from one to the other. You cannot divide traffic like you want. The ASA is not capable of source-based routing which is required for your plan. We do this all the time on Cisco routers, but not on ASA.
Sorry to throw a monkey wrench in the plans..
0
 
Marius GunnerudSenior Systems EngineerCommented:
Ah of course, The ASA only supports one active default route at a time.  I forgot about that.
0
Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

 
Jeff MorlenNetwork EngineerCommented:
I concur.
Only one route can be active at a time.
0
 
pgolding00Commented:
all the above is correct, but this
http://www.packetu.com/2011/11/28/egress-interface-selection-on-the-cisco-asa/
might be useful. have not tested it myself, so cant guarantee that it works. and, as the article states, understand how arp behaves before trying to use this method. and note the comment towards the end about which link inbound traffic initiates on, because you are losing the ability to use tracking, sla and failure coverage of any form.

alternatively, put a router in front of the asa and connect the dsl links to that.
0
 
truth_talkerAuthor Commented:
Not sure how I did this or how I got it to work.  But I ended up enabling port 0/1 and blocking traffic to 0/1.  Then put two static routes in for the default gateways for both DSL connections.  I put a dynamic NAT on 0/0 and all the static NAT's/Access Rules on 0/1 and it's working.

May have an issue if I need to do static routes on 0/0, but shouldn't need that to my knowledge.
0
 
lrmooreCommented:
Sweet! Even us old dogs can learn new tricks!
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Tackle projects and never again get stuck behind a technical roadblock.
Join Now