How can I route certain internet based traffic to secondary ISP?

By stein_brian ·
We currently have a fairly simple setup - All traffic ultimately flows back to a core cisco 4507 switch whose gateway of last resort points to the inside interface of our ASA firewall whose gateway of last resort points to our ISP router. We are looking to get a second ISP with the hopes of routing all our wireless traffic through this secondary ISP (Verizon FIOS if anyone cares) but are kind of stumped on how or if we can do this. We are a school district and our wireless infrastructure is growing at a tremendous pace with the distribution if iPads. laptops, smartphones, etc and we bumping up against our 50meg pipe. Ultimately we do hope to increase the size of our current pipe but in the meantime fios business is fairly cheap and we thought perhaps we can split up our traffic. I'm assuming more info is needed and if so please ask and I will provide. Appreciate any info you all might have, thank you!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

It's harder than you think

by JPElectron In reply to How can I route certain i ...

Cisco ASA does not do load balancing, only fail-over to a second ISP.
Look into Peplink or another multi-wan router that supports load balancing. You would put this device between your ASA and your ISP(s). Be aware that load balancing can be a headache and mess up certain applications, which you then must build rules for so these applications favor or only use one ISP. Your much better off getting a bigger pipe from just one ISP in my opinion.

If you want the "student" or wireless network to exclusively use one ISP, and the "staff" or internal network to use another ISP, then this can be done within the ASA, assuming you have the appropriate license for multiple (4) interfaces.

Collapse -

Reponse To Answer

by stein_brian In reply to It's harder than you thin ...

Thank you for the info! Would it be possible to elaborate on using the ASA with multiple interfaces? Also, I'm assuming another option would be to get a second firewall and then route certain traffic from the core 4507 to the second firewall whose gateway of last resort would be the second ISP?

Collapse -

Reponse To Answer

by JPElectron In reply to It's harder than you thin ...

If you do a "show run" on your ASA it will show you what features your licensed for. Base license usually means 2 interfaces, 0/0 as the outside and 0/1 as the inside, it may not let you pass any traffic on 0/2 or 0/3. Security Plus license has no restriction, so you could do something like this...
Eth0/0 WAN
Eth0/1 internal LAN
Eth0/2 WAN of second ISP
Eth0/3 student LAN and wireless

You would make separate NAT rules so the Eth0/3 LAN is NAT'ed to the Eth0/2 WAN. You likely have Eth0/1 NAT'ed to Eth0/0 already.

You could also put the ASA in a security context mode, where it's a passive device, I've only had a need for this once, the idea is it doesn't need to act as a NAT router, but rather just between your router and ISP(s). This isn't appropriate however if your ASA is being used as a L2L VPN or client VPN endpoint.

I suppose you could have another physical firewall with a different default gateway, but now that's more hardware to support.

Collapse -

It depends

by robo_dev In reply to How can I route certain i ...

if your intent is to keep the WLAN totally separate from the wired lan, you could create VLANs and a separate subnet for wireless users, then provision a FIOS circuit and router/firewall and proxy server for that VLAN. Just like setting up a guest WLAN on any network.

If you had no requirement to do content filtering (which I bet you do), then this would be very simple, but otherwise you will need to add another proxy server to filter WLAN traffic from the other ISP.

If you are not doing content filtering, that may be why your users are using up all your bandwidth :)

My understanding of the ASA is that it does not do policy-based routing, which I believe is what you need to do load-balancing across multiple ISPs.

Collapse -

multi wan router

by stein_brian In reply to How can I route certain i ...

Thank you all for the great detailed info, really appreciate it! After a review with my boss it looks like we are going to give Peplink a try and see how it works out. Heard some good things so we will see what happens. Thanks again!

Related Discussions

Related Forums