ASA 5520 Redundant Links Inbound/Outbound

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Ok here's what I want to do but I'm not exactly sure how to do it thus
far. On our ASA 5520 we have two "Outside" interfaces that come from
separate ISP's and we have multiple statics available from both of
those ISP's. I have a DMZ and INSIDE interface also. The webserver and
two DNS servers are located in the DMZ. Our Exchange server is on the
inside network for obvious reasons. I want to have one IP from each
ISP nat'd to the exchange server and webserver. Please assume I have
followed this document for my primary/backup ISP setup
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
I would like to keep my current setup for failover of outbound traffic
in the event of a failure and add inbound access from both ISP's.
Thanks for any suggestions.


Re: ASA 5520 Redundant Links Inbound/Outbound

wrote in message
Quoted text here. Click to load it
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Quoted text here. Click to load it

you do it the same way your primary nat is.

static (inside,outside) <public ISP1> <exchange private> netmask
255.255.255.255
static (inside,outside2) <public ISP2> <exchange private> netmask
255.255.255.255

dont forget to apply the acl on the outside2 interface as well.



Re: ASA 5520 Redundant Links Inbound/Outbound
Quoted text here. Click to load it

Thanks Brian I'll give it a go in the Lab environment.


Re: ASA 5520 Redundant Links Inbound/Outbound

wrote in message
Quoted text here. Click to load it

Very welcome, this feature works flawlessly. So far we've got atleast
2-3dozen customers up on it. Using the ISP failover feature in conjunction
with a service such as dnsmadeeasy.com gives the customers full isp
redundency for very very short money. Also, don't forget, you need a way to
dynamically update the DNS in the event of an ISP failure, thats where
companies like dnsmadeeasy come in.



Re: ASA 5520 Redundant Links Inbound/Outbound
Quoted text here. Click to load it

Brian, in this scenario what happens if traffic comes in one
connection on the ASA and the server sends out a response? will it go
out the default gateway which is the primary connection at the time or
will it go out the way it came in? Thanks.


Re: ASA 5520 Redundant Links Inbound/Outbound

wrote in message
Quoted text here. Click to load it

Correct, it will be asymentrical routing...in one pipe, out the other. Will
piss off a lot of things since a different IP will be replying.



Re: ASA 5520 Redundant Links Inbound/Outbound

wrote in message
Quoted text here. Click to load it

You cannot have 2 active ISP connections on a single ASA, you can run in ISP
redundancy mode which is active/passive. By 2 active ISP's I mean that
default route traffic, ie 0.0.0.0 will go out both pipes. You "could" have
site to site VPN tunnels on one, all default traffic go out the other, you
could also have the primary default fail over to the secondary. If you want
true load balancing look in to something like Radware or similar. Radware
Branch is a great box, we've got 100's of them out there at different
customers.



Re: ASA 5520 Redundant Links Inbound/Outbound
Quoted text here. Click to load it

Yeah that won't necessarily work for us. We have a web presense and
host our own DNS etc. I'll have to find another way. I have a router
that I can throw in front to handle the ISP with object tracking and
also Policy Based Routing to get it back out the correct pipe. I'm
thinking I can try to do something with Policy based routing and only
have one "outside" interface going into the ASA from the router this
will save me an interface as well. Can you think of a easier/better
solution?


Site Timeline