Solved

Cisco ASA5505 with Two Internet Connections

Posted on 2013-01-20
7
1,852 Views
Last Modified: 2013-01-23
I am attempting to setup a new Cisco ASA5505 Firewall.

I have two DSL connections.  What I am trying to accomplish is have everyone on the network connecting through one DSL Connection and then have the second DSL used for my servers (email,web, etc).

Do I need the security plus bundle and DMZ capability?  Or can it be done without it?  I'm not looking for failover, just the ability to have both connections operational and have some port forwards through one DSL and other port forwards through DSL2.

I have setup my 0/0 interface with the first internet connection and have it operational.

I have tried setting up 0/1 as the second interface and then setting up Access Control and NAT rules on the second interface but I just can't figure it out.
Any help will be greatly appreciated.
0
Comment
Question by:truth_talker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 17

Expert Comment

by:MAG03
ID: 38799261
yes you will need the security plus license to enable use of the 3rd VLAN.

for interface 0/1 are you trying to set that up for the LAN?  When you say you cant figure it out, could you please explane a little more of what is going wrong.

What version of ASA are you running?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 38799567
You cannot use dual external connections for anything other than failover from one to the other. You cannot divide traffic like you want. The ASA is not capable of source-based routing which is required for your plan. We do this all the time on Cisco routers, but not on ASA.
Sorry to throw a monkey wrench in the plans..
0
 
LVL 17

Expert Comment

by:MAG03
ID: 38800303
Ah of course, The ASA only supports one active default route at a time.  I forgot about that.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 3

Expert Comment

by:jeffmorlen
ID: 38801374
I concur.
Only one route can be active at a time.
0
 
LVL 8

Accepted Solution

by:
pgolding00 earned 500 total points
ID: 38803720
all the above is correct, but this
http://www.packetu.com/2011/11/28/egress-interface-selection-on-the-cisco-asa/
might be useful. have not tested it myself, so cant guarantee that it works. and, as the article states, understand how arp behaves before trying to use this method. and note the comment towards the end about which link inbound traffic initiates on, because you are losing the ability to use tracking, sla and failure coverage of any form.

alternatively, put a router in front of the asa and connect the dsl links to that.
0
 

Author Comment

by:truth_talker
ID: 38803759
Not sure how I did this or how I got it to work.  But I ended up enabling port 0/1 and blocking traffic to 0/1.  Then put two static routes in for the default gateways for both DSL connections.  I put a dynamic NAT on 0/0 and all the static NAT's/Access Rules on 0/1 and it's working.

May have an issue if I need to do static routes on 0/0, but shouldn't need that to my knowledge.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 38812903
Sweet! Even us old dogs can learn new tricks!
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question