Options
2 ISP and ASA 5505
Could you tell me if it is possible on Cisco ASA 5505 please?
1. Two internet connections from different ISPs – ISP A and ISP B connected to WAN links in ASA
2. One internal network connected to LAN link
3. All internet queries from inside are sent through WAN assigned to ISP A
4. On ISP B link two VPN connections are set up
5. When ISP A will be down – firewall automatically switch internet traffic from internal users to ISP B – VPN connections are not affected
6. There are no other rules like NAT or PAT.
If it is possible could you give me an advice how easy this configuration is? If I’m not able to use ASA 5505 for this scenario maybe you can tell me what device or solution is suitable?
Many thanks.
1. Two internet connections from different ISPs – ISP A and ISP B connected to WAN links in ASA
2. One internal network connected to LAN link
3. All internet queries from inside are sent through WAN assigned to ISP A
4. On ISP B link two VPN connections are set up
5. When ISP A will be down – firewall automatically switch internet traffic from internal users to ISP B – VPN connections are not affected
6. There are no other rules like NAT or PAT.
If it is possible could you give me an advice how easy this configuration is? If I’m not able to use ASA 5505 for this scenario maybe you can tell me what device or solution is suitable?
Many thanks.
Comments
-
Options
bighornsheep
Member Posts: 1,506
You could go with floating static routes. Steady-state, default route to ISP A, with static routes for the VPN sites pointing to ISP B, with a floating default route pointing to ISP B.
However, you will need to coordinate with your ISP A & B to setup some kind of SNMP to disable the port going to your ASA when the "ISP is down", otherwise, the floating static routes will not play it's role. Otherwise, the ISP may be down in their backend network to the Internet, but the port on their router going to your ASA is still up/up.Jack of all trades, master of none -
Options
PiotrIr
Member Posts: 236
Many thanks for your reply.
Is it possible to use some kind of pinging? E.g. Linksys RV82 uses ping of externel IP and disable port when doesn't get answer. -
OptionsKaminsky
Member Posts: 1,235
If you are building resiliance like that, remember that your router is also a single point of failure. If that goes, you lose everything as well.
Typically each ISP gets it's own router and the connections from these feed into another but then you could argue that you are still just moving the single point of failure.Kam. -
Options
shednik
Member Posts: 2,005
If you are building resiliance like that, remember that your router is also a single point of failure. If that goes, you lose everything as well.
Typically each ISP gets it's own router and the connections from these feed into another but then you could argue that you are still just moving the single point of failure.
I agree I would try to setup two devices and then set up bgp peering instead, but that will take you getting management to approve buying more gear. -
OptionsPiotrIr
Member Posts: 236
Thanks for your reply.
Basicaly I accept this single point of failure and wonder only about lines.