ASA with two ISP's

- M
- Mr. Ian
  
  Contact options for registered users
posted
17 years ago

Tue, Mar 27, 2007 11:10 PM

Is it possible to have the following scenario with an ASA 5510?

ISP1 - Fast, cheap, asymmetric, unreliable bandwidth (e.g. Cable). ISP2 - Slower, reliable, symmetric bandwidth (e.g. T1).

LAN ---- ISP1 \\ / ASA / \\ DMZ ---- ISP2

I woud like ISP1 one to receive all outgoing LAN traffic (i.e. general office Internet traffic).

I would like ISP2 to be used for any incomming connections to the DMZ and to maintain our VPNs to remote sites.

In the event ISP1 is down, outgoing LAN traffic would be re-routed to ISP2.

In the event ISP2 is down, VPN connections would be re-connected via ISP1.

Thanks for any help. I'm just trying to get an idea of what's going to be involved in making this type of setup work.

Loading thread data ...

- B
- Brian V
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Wed, Mar 28, 2007 11:30 AM

You cannot do all that you want, but some of it.

1, ISP redundancy, yes definately. You need the Sec Plus license. Very easy to configure.

formatting link

2, Terminations of the VPN to ISP2. Absolutely. Thats simple host based routing. "route isp2 host " and applying the crypto map on ISP2's interface. 3, DMZ traffic. No, cannot do. There is no policy based routing features in the ASA. 4, VPN failover. Nope, cannot do. You cannot have the same peer on 2 different interfaces nor can you have the same destination subnet on 2 interfaces.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.