Question

Locked

How to configure an ASA 5505 for dual ISP - split traffic

By ColinK.ltd ·
We set up temporary offices with 2 DSL connections. We have an ASA 5505 basic model which supports 3 VLAN's so can configure a VLAN for each ISP.
We wish to direct general traffic through one DSL and HTTPS traffic through the other. This is because we have a significant HTTPS load to a specific DNS/URL.
Typical low-end routers do not support load balancing, and even high-end ones do not effectively handle HTTPS due to the authentication issues involved on source addresses.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

I don't believe you can do that

by NetMan1958 In reply to How to configure an ASA 5 ...

with the ASA 5505. However you can use one ISP as a primary and the other as a backup. Here are a couple of articles about that:
http://www.articlesbase.com/networks-articles/configure-a-cisco-asa-5505-with-dual-isp-backup-connection-877852.html

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Collapse -

Configuration of ASA 5505

by ColinK.ltd In reply to I don't believe you can d ...

Thank you for your response. I had researched the articles on primary and backup ISPs using an ASA. Unfortunately that does not resolve the issue as the ASA will only switch traffic to the second ISP if the 1st has completely failed to respond, which is unlikely. And there is no dynamic detection of the 1st ISP to switch traffic back so once changed it stays that way.
Also I found that the configuration suggested has a few fundemental flaws that mean other work-arounds are required to make it work on a 5505 anyway.
Thanks - see next post.

Collapse -

Modification of Request - more detail

by ColinK.ltd In reply to How to configure an ASA 5 ...

I have been looking at the configuration and it appears possible to filter traffic based on traffic type and permit/deny by interface.
1. Set up names
name x.x.x.x outside-network2 description 2nd isp

2. Set up Object-groups
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https

3. Create access rules to permit or deny traffic
access-list INSIDE-IN remark Explicit rule to deny http through primary outside interface
access-list INSIDE-IN extended deny tcp inside x.x.x.x(primary isp) 255.255.255.0 object-group DM_INLINE_TCP_2
access-list INSIDE-IN remark Explicit rule to permit http and https traffic through 2nd external interface
access-list INSIDE-IN extended permit tcp inside outside-network2 255.255.255.0 object-group DM_INLINE_TCP_1

I have not tested this yet, but would welcome feedback on this approach.

Collapse -

Keeping in mind

by NetMan1958 In reply to Modification of Request - ...

that I've never tried dual ISP's on a PIX or ASA so I can't say for sure but I think the issue you are going to encounter is this:
The ASA is only going to install one default route at a time in it's routing table.

When you use the second ISP as a backup you have a floating static route to the second ISP such that it doesn't appear in the routing table until and unless the first ISP connection goes down.

The only way I've ever setup dual ISP connections involved GLBP. To do this you would need 2 GLBP capable routers, 1 connected to each ISP. Your ASA would have a default route to the virtual gateway. See this article for more information:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6550/prod_presentation0900aecd801790a3.pdf

Collapse -

Further information

by ColinK.ltd In reply to Keeping in mind

Thanks for that. It appears the approach is generally to load-balance all traffic, whereas I am seeking to split traffic by type (https vs the rest).
I have tried my approach and found that there is a default rule in the ASA which applies to all IP traffic, and over-rules the TCP rules. If this rule is turned off all traffic routing is stopped, so it appears I may need to work on refining that rule instead and see if that works.

Back to Hardware Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums