10.09.2012 Loadbalancing DUAL ISP on ASA - Cisco Support Community
Logowanie Kontakt Pomoc Obslugiwane jezyki: Polska
Przeszukaj Społeczność
Strona Glówna Najaktywniejsi Użytkownicy Kącik Ekspercki
Home NetPro Security Firew alling
Wszystkie dokumenty w Firewalling
Działania
Register / Zaloguj for more Actions
Dokumenty
Wyświetl jako PDF
Wyświetl podgląd wydruku
Stw orzony w : 2011-03-09 09:48 autor Atri Basu - Ostatnio Modyfikow ane: 2011-03-09 10:59 autor Atri
Basu
WERSJA 3
Dodane do zakładek
Loadbalancing DUAL ISP on ASA
przez (0)
social.floating.title
Wyświetl: Wszyscy
Objective:
Brak publicznych zakładek dla tej
To configure the ASA to send traffic through both ISPs simultaneously.
zawartości.
Problem Description:
Usually when a user has two ISPs terminating on the ASA, the ASA is configured for ISP redundancy. However in some cases,
Podobne
the user would like to use both ISPs simutlaneously to send traffic.
ASA/PIX: Load balancing
between two ISP - options
Scenario:
IOS SSL VPN Dual ISP
Example
Multi-homed NAT
dual internet links NATing with
PBR and IP SLA
NAT Configuration &
Troubleshooting
Przychodzące Odnośniki
ASA 5510 - Dual Internet
Connections - Routing DMZ
Traffic
Solution: Configure SA520 firewall for 2
ISP (cable & ADSL)
In such a scenario, the best solution would be to use a router. Using route-maps on the router, one can configure the routing
2 ISP on ASA
in such a way that only certain kind of traffic uses one ISP while the second ISP is used for other kinds of traffic. Although the
ASA supports route-maps, because it wasn't designed to support extensive routing capabilities, there are quite a few features
ASA: 8.3 "Nat Exemption"
under route-maps like source-based routing, which are not supported by the ASA. If using a router is an option then the
Example - Basic L2L VPN and
network would have to be redesigned as follows:
Basic RA VPN
(01;>= 4>:C<5=B0 ?>
B5E=8G5A:8< ?@8<5G0=8O< 8
?@0:B8G5A:8< A>25B0< 8
8=AB@C:F8O<
Więcej autorstwa Atri
Basu
Dual ISP and ASA Config
Zone-Based Firewall and self
If however, this is not an option, then it is possible to configure a very crude form of "loadbalancing" on the ASA. The following
zone issues in a DMVPN
two scenarios are ways in which both ISPs can be used simultaneously on the ASA:
environment
1. Route traffic based on destination:
As I mentioned aboved, the ASA is not a load-balancer or a packet-shaper. However with the following commands on
acl sequence in asa
the ASA, we can route traffic to half the destinations on the internet using ISP1 and the other half using ISP2:
ASA Firewall Module in GNS3
nat (inside) 1 0 0
ASA5505 not announcing
global (ISP1) 1 interface
inside EIGRP route to the
global (ISP2) 1 interface
outside.
route ISP1 128.0.0.0 128.0.0.0 1.1.1.2 // creates a default route for addresses in the first half of the IPv4 spectrum
Wyśw ietl profil Atri Basu
route ISP2 0.0.0.0 128.0.0.0 2.2.2.2 // creates a default route for addresses in the second half of the IPv4 sepctrum
2. Route traffic based on destination ports:
By adding the configuration below, the ASA can be set up to send web traffic(http,https) out through ISP2 and all other
traffic is sent through ISP1 as shown above.
route ISP1 0 0 1.1.1.2 // Default route pointing to ISP1
route ISP2 0 0 2.2.2.2 2 // Default route with Metric 2 via ISP2
static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80
static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443
https://supportforums.cisco.com/docs/DOC-15622 1/2
10.09.2012 Loadbalancing DUAL ISP on ASA - Cisco Support Community
sysopt noproxyarp inside // important, otherwise it will cause routing issues as the ASA will start sending proxy-arps for all
hosts on the inside.
nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface
Important Note: As I mentioned earlier the ASA is not designed to support load-balancing the above solutions are
only workarounds and as such not supported configuration.
Etykiety: asa_5500, firew all, asa_8.x, asa_7.x, asa, loadbalancing, dual_isp, load-balancing, traffic-shaping
5376 Wyśw ietleń
Średnia ocena użytkow nika (5 oceny)
Komentarze (4)
Golly Wog 2011-03-24 17:46
Awesome! I love it!
Brad Henderson 2012-02-09 20:04
Is failover still possible with the second example? In the example, is my web traffic(port 80/443) down if isp2 goes down, or can i still
use an SLA monitor or some other method to automatically failover web traffic to isp1 that is still up? Im looking for a way to both
send specific destination ports out a particular ISP, but also fail them over should it go down. Asa 5520. Any assistance is
appreciated.
Atri Basu 2012-02-10 06:12 (w odpow iedzi na Brad Henderson)
If you're using ASA code above 8.3 the natting becomes very different, and the above set up may no longer work. If the code is below
8.3 then it maybe possible using SLA monitoring, but I haven't tested it and can't be sure how the natting will be affected.Ideally is
ISP2 goes down and SLA monitoring removes the second route, then the static NATs shuold also not function properly, so the nat
global should work just fine.
Paolo Piutz 2012-09-03 10:34
Hi to all.
My goal is to use dual wan (with 2 different ISP):
I would use:
wan1 for all: web, mail, ecc
wan2 only for a vpn l2l connection with HQ.
obviously the wan have to work at the same time.
It's possible with asa 5505? (without a router).
Do yuo know some tutorial for that?
Thank you.
Artykuły mogą zaw ierać niepotw ierdzone, opublikow ane przez użytkow ników informacje. Mogą też ulegać częstym zmianom. Informacje dostarczane są "tak jak są" i nie
obejm ują ich żadne gw arancje firmy Cisco.
© 1992-2012 Cisco Systems Inc.
Warunki Ośw iadczenie o poufności Zasady postępow ania z plikami cookie Znaki tow arow e firmy Cisco Systems, Inc.
Wszelkie praw a zastrzeżone.
https://supportforums.cisco.com/docs/DOC-15622 2/2