1. Home
  2. Cisco Systems
  3. ASA 5520 Redundant Links Inbound/Outbound

ASA 5520 Redundant Links Inbound/Outbound

Ok here's what I want to do but I'm not exactly sure how to do it thus far. On our ASA 5520 we have two "Outside" interfaces that come from separate ISP's and we have multiple statics available from both of those ISP's. I have a DMZ and INSIDE interface also. The webserver and two DNS servers are located in the DMZ. Our Exchange server is on the inside network for obvious reasons. I want to have one IP from each ISP nat'd to the exchange server and webserver. Please assume I have followed this document for my primary/backup ISP setup

formatting link
would like to keep my current setup for failover of outbound traffic in the event of a failure and add inbound access from both ISP's. Thanks for any suggestions.

Reply to
Nick Your Company Computer Guy
Loading thread data ...

formatting link
I would like to keep my current setup for failover of outbound traffic

you do it the same way your primary nat is.

static (inside,outside) netmask

255.255.255.255 static (inside,outside2) netmask 255.255.255.255

dont forget to apply the acl on the outside2 interface as well.

Reply to
Brian V

Thanks Brian I'll give it a go in the Lab environment.

Reply to
Nick Your Company Computer Guy

Very welcome, this feature works flawlessly. So far we've got atleast

2-3dozen customers up on it. Using the ISP failover feature in conjunction with a service such as dnsmadeeasy.com gives the customers full isp redundency for very very short money. Also, don't forget, you need a way to dynamically update the DNS in the event of an ISP failure, thats where companies like dnsmadeeasy come in.
Reply to
Brian V

Brian, in this scenario what happens if traffic comes in one connection on the ASA and the server sends out a response? will it go out the default gateway which is the primary connection at the time or will it go out the way it came in? Thanks.

Reply to
Nick Your Company Computer Guy

Correct, it will be asymentrical routing...in one pipe, out the other. Will piss off a lot of things since a different IP will be replying.

Reply to
Brian V

Yeah that won't necessarily work for us. We have a web presense and host our own DNS etc. I'll have to find another way. I have a router that I can throw in front to handle the ISP with object tracking and also Policy Based Routing to get it back out the correct pipe. I'm thinking I can try to do something with Policy based routing and only have one "outside" interface going into the ASA from the router this will save me an interface as well. Can you think of a easier/better solution?

Reply to
Nick Your Company Computer Guy

You cannot have 2 active ISP connections on a single ASA, you can run in ISP redundancy mode which is active/passive. By 2 active ISP's I mean that default route traffic, ie 0.0.0.0 will go out both pipes. You "could" have site to site VPN tunnels on one, all default traffic go out the other, you could also have the primary default fail over to the secondary. If you want true load balancing look in to something like Radware or similar. Radware Branch is a great box, we've got 100's of them out there at different customers.

Reply to
Brian V

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.