"Mr. Ian" <> wrote in message
news:...
>
> Is it possible to have the following scenario with an ASA 5510?
>
> ISP1 - Fast, cheap, asymmetric, unreliable bandwidth (e.g. Cable).
> ISP2 - Slower, reliable, symmetric bandwidth (e.g. T1).
>
> LAN ---- ISP1
> \ /
> ASA
> / \
> DMZ ---- ISP2
>
> I woud like ISP1 one to receive all outgoing LAN traffic (i.e. general
> office Internet traffic).
>
> I would like ISP2 to be used for any incomming connections to the DMZ
> and to maintain our VPNs to remote sites.
>
> In the event ISP1 is down, outgoing LAN traffic would be re-routed to
> ISP2.
>
> In the event ISP2 is down, VPN connections would be re-connected via
> ISP1.
>
> Thanks for any help. I'm just trying to get an idea of what's going
> to be involved in making this type of setup work.
You cannot do all that you want, but some of it.
1, ISP redundancy, yes definately. You need the Sec Plus license. Very easy
to configure.
http://www.cisco.com/en/US/products/...806e880b.shtml
2, Terminations of the VPN to ISP2. Absolutely. Thats simple host based
routing. "route isp2 host <vpn peer1> <gateway>" and applying the crypto map
on ISP2's interface.
3, DMZ traffic. No, cannot do. There is no policy based routing features in
the ASA.
4, VPN failover. Nope, cannot do. You cannot have the same peer on 2
different interfaces nor can you have the same destination subnet on 2
interfaces.
Similar Threads
