Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Dual ISP Support on Cisco ASA 5520 Firewall

Status
Not open for further replies.
krishnagondi

krishnagondi

IS-IT--Management
Feb 10, 2003
8
0
0
IN
Hi, Iam having one ISP link terminated and using for INternet Purpose, we are planning to have another Internet link from another ISP dedicated for Site to Site VPN. Can somebody assist me whether this kind of setup is possible with Cisco ASA5520.

Thanks,

Siva
 
Sort by date Sort by votes
Where is the link terminating to? The existing router or a new router? This is definitly "doable" either way. You can set up policy routing on the router if you are adding a new link to it or if adding a new router you can set a host route point the traffic to the destination crypto peer to the new router.

Free Firewall/Network/Systems Support-
 
Upvote 0 Downvote
Oh. The other question is: Are you going to terminate this on another Pix interface. The issue would be return traffic. If you use the existing interface for the crypto termination all return traffic would flow through the original ISPs network (asynchronous routing). You may want to terminate this on a different interface on the Pix with a IP address that is routable with the new ISP.

Free Firewall/Network/Systems Support-
 
Upvote 0 Downvote
Networkghost,

thanks for ur reply, let me put my question to hve moe clarity.

1) At present we are having ISP1 terminated directly on ASA firewall ethernet interface(say eth0). Currently this link is being used for Internet browsing.
2) We are planning to have ISP2, which will b terminated on to another ethernet interface of ASA firewall(say eth2). Planning to use this ISP2 dedicated for IPsec site to site VPN with remote office.
Once the above config works..
3) We wish to use these two links in redundant mode .. for ex..if ISP1 goes down all the internet users traffic must be flow through ISP2, same way if ISP2 goes down, IPSec tunnel traffic to b flown through ISP1.

Let me know above requirement can b fulfilled with ASA box.

Thanks,

Siva

 
Upvote 0 Downvote
Supergrrower,

Thanks for the link, I have already gone through the same. As per this link at any point of time only one ISP link is active and 2nd ISP acts as backup. whenever one link goes down second will takeover. But both links are not active.

Thanks,

Siva
 
Upvote 0 Downvote
It doesn't seem that you can have multiple watched static routes.
You can make a static route for the VPN go out one interface and the default route the other interface. Then have it monitor the most important of the 2 routes (VPN or Internet.) That would provide at least a little redundancy.

To get really fancy, I am sure that this event can fire off snmp, syslog, or email. You can have a watching station listen for that specific event and run a script to react - either changing the VPN or the internet. That seems more complicated than it's worth but if it's what you need...




Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
You could have the directly connected routers feeding the default routes to the ASA via RIP or OSPF.


Or you could add 2 routes in your routing table for your default gateway with different metrics. I havent done this before but seems like it would work fine.

I dont think youll see the route with the highest metric in your table until the main route is unavailable.

Just change the interface for the second route to match your 2nd ISP int. This can and should be tested after implementation.

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route outside 0.0.0.0 0.0.0.0 192.168.0.2 2

ciscoasa(config)# sh route

S 0.0.0.0 0.0.0.0 [1/0] via 192.168.0.1, outside
C 192.168.0.0 255.255.255.0 is directly connected, outside
ciscoasa(config)# sh route outside 0.0.0.0 0.0.0.0

S 0.0.0.0 0.0.0.0 [1/0] via 192.168.0.1, outside
ciscoasa(config)# sh run | i 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route outside 0.0.0.0 0.0.0.0 192.168.0.2 2

ciscoasa(config)# no route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
ciscoasa(config)# sh run | i 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.0.2 2




Free Firewall/Network/Systems Support-
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
146
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
150
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
161
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
126
AllenH12
AllenH12
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
56
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top