ASA with two ISP's

Discussion in 'Cisco' started by Mr. Ian, Mar 28, 2007.

  1. Mr. Ian

    Mr. Ian Guest

    Is it possible to have the following scenario with an ASA 5510?

    ISP1 - Fast, cheap, asymmetric, unreliable bandwidth (e.g. Cable).
    ISP2 - Slower, reliable, symmetric bandwidth (e.g. T1).

    LAN ---- ISP1
    \ /
    ASA
    / \
    DMZ ---- ISP2

    I woud like ISP1 one to receive all outgoing LAN traffic (i.e. general
    office Internet traffic).

    I would like ISP2 to be used for any incomming connections to the DMZ
    and to maintain our VPNs to remote sites.

    In the event ISP1 is down, outgoing LAN traffic would be re-routed to
    ISP2.

    In the event ISP2 is down, VPN connections would be re-connected via
    ISP1.

    Thanks for any help. I'm just trying to get an idea of what's going
    to be involved in making this type of setup work.
    Mr. Ian, Mar 28, 2007
    #1
    1. Advertising

  2. Mr. Ian

    Brian V Guest

    "Mr. Ian" <> wrote in message
    news:...
    >
    > Is it possible to have the following scenario with an ASA 5510?
    >
    > ISP1 - Fast, cheap, asymmetric, unreliable bandwidth (e.g. Cable).
    > ISP2 - Slower, reliable, symmetric bandwidth (e.g. T1).
    >
    > LAN ---- ISP1
    > \ /
    > ASA
    > / \
    > DMZ ---- ISP2
    >
    > I woud like ISP1 one to receive all outgoing LAN traffic (i.e. general
    > office Internet traffic).
    >
    > I would like ISP2 to be used for any incomming connections to the DMZ
    > and to maintain our VPNs to remote sites.
    >
    > In the event ISP1 is down, outgoing LAN traffic would be re-routed to
    > ISP2.
    >
    > In the event ISP2 is down, VPN connections would be re-connected via
    > ISP1.
    >
    > Thanks for any help. I'm just trying to get an idea of what's going
    > to be involved in making this type of setup work.



    You cannot do all that you want, but some of it.

    1, ISP redundancy, yes definately. You need the Sec Plus license. Very easy
    to configure.
    http://www.cisco.com/en/US/products...s_configuration_example09186a00806e880b.shtml

    2, Terminations of the VPN to ISP2. Absolutely. Thats simple host based
    routing. "route isp2 host <vpn peer1> <gateway>" and applying the crypto map
    on ISP2's interface.

    3, DMZ traffic. No, cannot do. There is no policy based routing features in
    the ASA.

    4, VPN failover. Nope, cannot do. You cannot have the same peer on 2
    different interfaces nor can you have the same destination subnet on 2
    interfaces.
    Brian V, Mar 28, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. James Parks

    Two ISP -Two Routers - 1 PIX

    James Parks, Dec 8, 2003, in forum: Cisco
    Replies:
    5
    Views:
    3,633
    James Parks
    Dec 11, 2003
  2. John
    Replies:
    4
    Views:
    659
    Barry Margolin
    Oct 16, 2004
  3. Skybuck Flying
    Replies:
    0
    Views:
    4,802
    Skybuck Flying
    Jan 19, 2006
  4. Martin Bilgrav

    Q: ASA 5505 (Home Office) - Dual ISP ?

    Martin Bilgrav, Oct 19, 2006, in forum: Cisco
    Replies:
    3
    Views:
    3,256
    Martin Bilgrav
    Oct 20, 2006
  5. ricardo.ramos

    Crypto maps on ASA for two ISP

    ricardo.ramos, Mar 12, 2009, in forum: Cisco
    Replies:
    0
    Views:
    660
    ricardo.ramos
    Mar 12, 2009
Loading...

Share This Page