Cisco Firewall :: ASA 5505 Split Traffic On Dual ISPs

Jul 31, 2012

I have an ASA 5505 current f/w & the security plus license (to get the 3 nameif interfaces). Can I split traffic between two ISPs, (VPN traffic to one destination on a T-1 on one VLAN, and all other traffic using DSL to another VLAN) and using a different nat policy on both? I know load balacing isn't supported, only failover. I was just wondering if there was a way to make this work.

View 3 Replies


ADVERTISEMENT

Cisco VPN :: ASA 5510 With Dual ISPs Split Traffic Between VPNs And Internet

Jul 1, 2011

I need to know how to setup my ASA with dual wan links. 1 is 10/10 fiber, other will be a 50/5 Cable Wideband link. The 10/10 fiber is currnetly being used for VPN's and Internet, (about 20 point to point IPSEC vpn's currently).
 
I want to add the Wideband link and use the "Tunneled (Default gateway for VPN traffic)", feature for the current fiber link and the new Wideband link for any other internet traffice. I tried this however as soon as I set my fiber link to "Tunneled (Default gateway for VPN traffic), I lost all connectivity.
 
I also setup my "VPN" link with the "tunneled" option and my "INTERNET" link with a default route to the internet. This would only let me ping internet sites from the ASA device but not from client computers, also the VPN's would not come backup.
 
I have tried the sla setting with a DSL line for failover and that works good, i've since got rid of the DSL and want to utilize 2 wan links for different purposes/traffic.
 
ASA 5510, SSM-10      1GB RAM
ASA version                8.4(1)
ASDM Version            6.4(3)
Context Mode            Single
FW Mode                  Routed
License                     Security Plus

View 5 Replies View Related

Cisco Firewall :: 5510 Split Traffic Between VPN And Internet Using Different ISPs

Aug 25, 2011

What we are trying to accomplish here use two ISP's (one cable and one T1), use the Cable line for site-to-site VPN and use T1 line for all internet traffic. We currently use the following configuration: Cisco 2820 routers terminating the T1 -> HP switch -> Cisco AS 5510 port 0 -> port 1 to LAN switch (Nortel 5510)We want to force all VPN traffic (using 10.0.0.0/24 subnets - 10.0.1.0, 10.0.2.0, etc) through a cable connection, perhaps on port 2 of the ASA, then all non VPN traffic goes to the T1.

View 1 Replies View Related

Cisco Firewall :: Dual ISPs On ASA 5505

Dec 5, 2011

We have a cisco ASA 5505 with sec bundle plus
 
We have two ISP's:
 
ISP1 (Our IP = 30.100.150.50, gateway 30.100.150.8)
ISP2 (Our IP = dynamic, gateway 20.100.150.9) - ADSL 
Our internal LAN IP range is 10.9.8.0/24
 
We want to configure the ASA 5505 to allow users via ISP2 for http traffic We then want to use ISP1 for strictly VPN and access to internal web resources (eg OWA) as we have public IP's there.
 
Our idea was to configure two gateways on the ASA (e.g. 10.9.8.5 via ISP2 and 10.9.8.6 via ISP1)
 
Then give the users gateway 10.9.8.5 for web browsing etc Is this configuration possible on the ASA 5505?

View 4 Replies View Related

Cisco WAN :: WAN / Dual ISPs - Can ASA 5505 Do Load Balancing As Well

Jan 24, 2010

I want to link ASA 5505 to two ISP's for backup purpsose. I can see this configuration example here url...
 
Question - does the ASA 5505 do load balancing as well for both connections - is there an example somewhere? (I do not want to buy two ASA 5505's!) which seems the only way I could find configuration details for!

View 6 Replies View Related

Cisco Firewall :: ASA 5520 For Dual Active ISPs

Dec 14, 2011

I inherited a network redesign project mid implementation and ran across an issue that I was not 100% sure able to be resolved.  Implementation is occurring in which the organization is changing over to a different ISP and we have some customers that will not be able to change their settings over to our new addresses from some time.  I have seen a lot of posts about fail over and dual ISP configurations, but I could not relate them to this particular scenario.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 Nat / Routing DMZ With Dual ISPs (4 Legged)?

Apr 11, 2013

I am in the process of configuring a ASA 5510 to replace an older PIX.  This change is part of migrating to a new ISP, so the process is complicated by the existence of two outside interfaces.  I have virtually everything working, but there is a requirement to be able to access hosts from the internal networks using both their private IPs and their public IPs.  The older PIX took care of this silently with little configuration, but the ASA has me twisted on the details.  Some of the hosts with public IPs are on the internal network and some are on a DMZ (not my design, inherited).  For the internal ones I implemented hairpinning to take care of the requirement, but I am having trouble with the DMZ based hosts.. Since there are two external interfaces each internal host has two IPs and two static NAT rules to handle incoming traffic from each external interface.
 
The routins and dynamic NAT entries we have in place take care of accessing the hosts using their private IPs on the DMZ, but I cannot figure out how to get the public IPs to work from the internal network.  It seems like a simple Static D-Nat shoudl do it, but when I add a Static D-Nat on the DMZ the public IP works, but the private IP breaks..  Is there a way to get them both to operate ?
 
Network layout looks like this (IP ranges altered):

DMZ  172.10.0.0.0 Class C
INTERNAL 10.0.0.0  Class C
Outside  1.2.3.0  Class C
Outside2  2.3.4.0  Class C

[code]....

After applying it I could access the public IP (1.2.3.50) from the internal network, but I could no longer access the DMZ IP (172.10.0.2) from the internal network. Is there any way to get this configuration to allow access to both IPs from the internal network ?
 
The problem here is that there are website links based on the public IP and the DNS is split so DNS returns the internal IP to users. As a result both need to be accessible from the internal network.. Not my favorite design, but the client (or in this case the boss) is always right so I need to get it working somehow.

View 8 Replies View Related

Cisco Firewall :: ASA5510 With Dual ISPs And Static NAT On Backup

Dec 12, 2012

Looking to have an ASA5510 with two internet feeds. Moreover, I would like to have my static nat translations continue to work on the backup feed. I have outbound nat working, however I cannot get the inbound nat to work. I had this all figured out in 7.x but now with 8.x I cannot seem to get it working. If anyone has a 8.x example config.

View 4 Replies View Related

Cisco Firewall :: ASA505 - 2 Sets Of NAT Rules To Accommodate Dual ISPs

Oct 10, 2012

I am setting up an ASA550 ver 7.2(3) - does this need upgrading?I have my ISP interfaces setup as primary and backup I have a static route pointing out:route primary 0.0.0.0 0.0.0.0 1.2.3.4 1 Question:Do I put the next static route to be route secondary 0.0.0.0 0.0.0.0 3.4.5.6 254 Will this set a high metric on the secondary route that will only take effect if the primary route is down? I assume I will need to have 2 sets of NAT rules to accommodate the dual ISP's

View 1 Replies View Related

Cisco WAN :: Dual ISPs In ASA 5520

Jul 10, 2011

We got 2 ISPs -------> two ASA 5520 Primary / secondary --------> LAN . ASA is configured with ACL and Static NAT for our mail , web & ftp servers .
 
My question is how to configure the 2nd ISP on the ASA to auto switch to the 2nd ISP when the 1st is down with a backup static NAT and backup ACL for the new ISP , in other words how to configure a active static NAT and Backup Static NAT and ACL only for Exchange/Mail Server.Here is the example of our configuration where PIE is Primary ISP & EMC is Backup ISP.
  
ASA Version 8.2(1)
hostname Corp-ASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]....

View 1 Replies View Related

Cisco WAN :: Dual DHCP ISPs On ASA5505?

Jul 1, 2012

I've been searching the net for days now trying to configure the ASA5505 for dual DHCP ISP use. All guides available assume you have one static.
 
After realizing that it required a Security Plus license to even configure 3 VLANs.
 
I can choose a backup interface in ASDM. It even says dual ISP enabled. Why cant there be a guide or simple configuration example or am I the only one looking for this kind of solution?
 
Customer has two ADSL internet connections and want to switch between them if they fail. No load balancing required.

View 2 Replies View Related

Cisco VPN :: Dual ISPs On ASA5510 And Remote Access Client

Jul 7, 2012

i have two public IPs on ASA5510 + Remote Access VPN Client, what i want to achieve is, i want VPN client users to be able to login using any of the two ISP's IP to remote connection to the ASA. what is the command to use to achieve this.
 
Secondly, i have setup the primary link VPN through ASDM but thinking i should do the same thing and add the "backup" interface.

View 1 Replies View Related

Cisco Firewall :: Dual ISP On ASA 5505?

Oct 9, 2012

My client is transitioning to a new ISP and want to migrate there web servers in stages.  therefore they would like to keep some servers running on the old ISP and some servers use the new ISP.
 
I have set this up in a lab and keep running into routning issues (I am using 5510 for the lab as I do not have a 5505 available). I know that ASA's don't support PBR.  Is there any way or trick to get this to work on the ASA?
 
I have a feeling this is not possible and we would need to get another ASA or a Router to get this to work.        

View 1 Replies View Related

Cisco Firewall :: Dual ISP On ASA 5505

May 28, 2012

I need to configure my asa as follows: Two active ISP´s, one(ISP1) for outbound traffic (normal internet traffic) and the other one for inbound traffic(ISP2), http to a web server in the inside network. I have two default routes, one pointing to ISP 1 with metric 1 and the other to ISP2 with metric 2. I perform dynamic nat to ISP1 interface with hosts in the inside network and static nat to ISP2 interface with web server.

View 1 Replies View Related

Cisco Firewall :: Configure Dual ISP On 5505 8.4

Mar 27, 2013

I am attempting to set up failover dual ISP on a 5505 running 8.4(4) with the Sec Plus  license. Everything i have been able to reference so far, points to old commands not available or relevant in 8.4
 
For instance:
 
global (backup) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 20.20.20.1 1
route backup 0.0.0.0 0.0.0.0 30.30.30.1 10
 
What is the new syntax that should be used to mimic these commands?  I have the sla and trach reachability configuration already set up.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 With Dual ISP And 2 Networks

May 7, 2013

I would like to configure a Cisco ASA 5505 with Dual ISP (ISP 1 and  ISP2) and two networks (network 1 and network 2). My customer need that  clients in the network 1 connect to Internet with ISP1 and clients in  the network 2 connect with ISP2. If a failure occurs in ISP1 (just an  example) the network 1 clients connect with ISP2.

View 10 Replies View Related

Cisco Firewall :: ASA 5505 Security Plus Dual ISP

Apr 5, 2010

I have an ASA5505 with Security Plus license so I can have many interfaces (not 2 + 1 limited DMZ like in base license)
 
I have 2 VLANs.Is it possible to use one ISP for VLAN 1 and other for VLAN 2 ? Is it limited to 2 ISP's or can have more ?

View 14 Replies View Related

Cisco Firewall :: ASA 5505 / Dual WAN For Different Services?

Sep 18, 2012

I have ASA 5505 ver, 8.4(1) I have configured 2 WAN links to

1. Outside1 - distance metric 50
2. Outside2 - distance metric 20
 
Currentry all traffic is passing thru Outside2 and it's correct, also s2s and ra VPN is also running on Outside2 ?My current case is to use Outside1 for webvpn services only. I can't use Outside2 becouse on 443 port other services are running, also I cant change webvpn port to other.
 
How can I match packets incoming to interface Internet1 from Interner side nad route them back thru Internet1 interface.
 
IPSLA is not a good solution becouse I need to have both WAN links used Now in routing table I have only onre record

S*   0.0.0.0 0.0.0.0 [20/0] via x.x.x.x, INTERNET2

for link with lower metric, but after some problems with provider for link Internet2 routing has changed for Internet1 and didn't change it back after resolving problem? how to create it for all traffic incoming for Internet1 interface from outside?

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Dual Internet Connections / Routing DMZ Traffic

May 29, 2012

I am having an issue when implementing an additional internet connection on our ASA 5510. The new connection is "TWCOutside".  I was my understanding that static NAT would force our externally hosted servers (Email, PPTP VPN, and FTP) to continue to utilize the "ATTOutside" connection.  Our remote site-to-site VPN traffic has two static routes configured to force it to continue to use the ATTOutside connection.When I switch the metric on the 0.0.0.0 0.0.0.0 98.103.148.145 route to 1, and change out default dynamic xlate to use "TWCOutside", it "mostly" works as expected.  Email, the PPTP VPN server, and our remote site-to-site VPN server continue to use the ATTOutside connection as designed.  Our end users begin using the new connection for thier internet browsing.
 
However, our FTP server, in the DMZ, completley loses outside access.  It cannot ping to 8.8.8.8, or resolve DNS queries.  The is a static NAT statement for this server, as it is using one of our dedicated public IP addresses.  I need it to continue to do so for the next few weeks.Effectivley, we just want to give our end users internet browsing on the new TWC link, but leave everything else on the old ATT link for the time being.  The only problem I am having is the DMZ connection.  I am currently "rolled back", so no one is using the new connection until I figure this out.  I can easily switch the metric and dynamic PAT back to using the TWC connection, but I need to have some things to try with the DMZ before doing so. [code]

View 2 Replies View Related

Cisco Firewall :: ASA 5505 Dual WAN Settings Required

Feb 27, 2012

I have a 5505 configured with a active/standby dual wan setup using the sla tracked connection settings. Is there a way to configure the ASA to stay on the backup connection after activating? We had a situation where the main T1 was bouncing, so the backup connection was being activated and deactivated very often. The problem is that there is an app being used that does not allow users to reconnect to dropped connections immediately, so every time the asa switches wan connections it causes a significant disruption.I should note that I already set monitor options frequency to 240 seconds. I could set it higher, but then we have a longer delay when the main connection dies.

View 2 Replies View Related

Cisco WAN :: Require Dual WAN But Not Necessarily Firewall ASA 5505

Feb 9, 2012

I have a small office with about 20 people.  I currently have a T1 line which feeds a Cisco ASA 5505.  I would like to replace the T1 line with two (2) ADSL lines.  I need a dual WAN switch/load balancer.  I researched a bit and found that Cisco RV042 will probably work for me even though I don't need another VPN and would have to disable it.
 
My question:  Is there anothe device from Cisco or others which will give me the dual WAN and load balancing but not the VPN piece.  My assumption is that it would be a less expensive device if such an animal exists.

View 2 Replies View Related

Cisco Firewall :: 5505 High Availability Over Dual WAN Connections

Mar 20, 2011

One of my remote sites acquires Internet connectivity via a cable  modem service.  This goes down intermittently, of course.  I would like  to purchase DSL service from the local telco and configure the edge ASA  (currently a 5505) to use the cable modem path normally ... and fall  back to the DSL path if necessary.
 
These seems hard to  do.  The edge box would need to evaluate the viability of a WAN path  using some set of tests ... perhaps pings to a handful of major Internet  sites.  If all those pings start failing, it would stall for a minute,  to give the WAN service provider time to recover ... then cut over to  the second path.  Cutting to the second path might mean pushing new DNS  server addresses to clients (or perhaps the edge box would hand out both  sets of DNS servers all the time and rely on the clients to try them  all.)  Once the cable modem provider restored service, the edge box  would stall for a while (ten minutes?  an hour?) and then cut back.
 
I'm willing to replace the edge box with something  fancier (a bigger ASA or something sold as a router or whatever),  although I'd like to stay under 10K (list) for such a replacement.

View 3 Replies View Related

Cisco Firewall :: ASA 5505 With Dual ISP - How To Setup Backup Connection

May 22, 2012

how can I setup that the backup connection will start but after 30s of icmp timeout the default gateway (tracket object - 192.168.1.1)
 
My configuration:
 
sla monitor 123
type echo protocol ipIcmpEcho 192.168.1.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
 
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 track 1
route backup 0.0.0.0 0.0.0.0 192.168.2.1 254
 
track 1 rtr 123 reachability

View 2 Replies View Related

Cisco WAN :: 2911 Split Traffic From LAN

Jun 11, 2013

I have a Cisco 2911 Router and I need to split the traffic from my Lan (Gi0 / 0) by ISP1 (fa0 / 0) and that of my servers (Gi/0/0) by ISP2 (fa0 / 1). [code]My problem comes when wanting to communicate with my remote networks that reach the int Gi 0/1, because when my network to match the policy- route internet sends me all the way.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 / 5520 Dual Gateway From 3750 And 2010

May 17, 2011

I need to move the client machines off of the 3750 (and their DHCP dependency on it) to the SGE2010 and absolutely route their internet traffic out through the outside interface on the 5505. They must also be able to communicate back into the internal environment in order to communicate with the production servers.
 
The clients currently use .254 addressing through a dumb dell switch to the 3750 but I am trying to migrate them over slowly to the .253. I know that the 2010 will not do DHCP, so I am putting a DHCP server on that switch right now. The 5505 won't let me add an additional nameif statement onto one of the other eth0/x interfaces and I'm not sure if that has anything to do with it's capabilities to act as a DHCP server (it's not an option in the ASDM) or it's ability to serve as the internet gateway for the 2010 clients. (Side notes: The 5505 has a base license and is currently also connecting 1 site to site VPN. As is the 5520, so all of it's interfaces are used as well).
  
I statically assigned a moved client with a .253 address and plugged it into the 2010. I have tried giving the 2010 both a .4 address and a .253 address but neither will allow me to ping any of the addresses on the 5505. The 2010 shows automatic routes to the two subnets and I set it's default route to 253.1. The link between the 2010 and the 3750 works - clients receive a .254 address from the 3750 and can get out to the internet via the 5505 and reach the production servers as well.
 
Why won't the 2010 see the 5505 as a gateway and allow clients to get to the internet and also traverse the 3750 when they need access to the production network?

The reason why I dont' just connect the two swtiches and call it a day is because I also need the production servers to ALWAYS go out/receive web requests via  the 5520 outbound/outside interface. I'm having such a hard time wrapping my head around why i can't get my clients moved over to the new switch, I haven't even grasped how I'm going to do that yet.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 - Dual ISP SLA Track With Primary PPOE Secondary DHCP

Aug 25, 2011

Cisco ASA 5505 Security Plus 1 link with PPOE dialup for internet access
 
desirable situation: Primary link with a PPOE dialup Secondary Link with DHCP address Asignment
 
Problem: i want to configure Dual ISP Failover modus, but the problem exist when i configure  the ip sla syntax it looks good in the running config. but after a reload the secondary line becomes primary
 
It looks like the ppoe client authentication is busy when the ip sla tracking mechanism becomes active. can i tweak the settings that the ip sla tracking mechanism starts later?
 
What i the correct config for Dual ISP setup with primary PPOE and secondary DHCP

View 1 Replies View Related

Cisco WAN :: 2821 - Split Outbound Data Traffic

Feb 29, 2012

I have hooked up to the Cisco 2821 router a T1 on Serial and Cable Modem to GigEth0/1 and I want to split outbound traffic so that all regular users will use G0/1 interface for web traffic and the rest of the traffic stays with the T1.  I am having an issue where the users on the network are not able to use the internet when using the following config:
 
!
interface GigabitEthernet0/0.10
description Data
encapsulation dot1Q 50

[Code].....

View 11 Replies View Related

Cisco Firewall :: ASA 5505 Ftp Traffic From Dmz To Outside

Dec 5, 2012

I am able to ftp from my Head Office to my test machine at the remote location but I can't get the other way around to work. Error message from the Syslog deny tcp src 192.168.50.5/1825 dst 208.124.202.44/21 by access-group "dmz_access_in".I try a couple of ways to fix it but no luck.A partial config of my ASA 5505. [code]

View 4 Replies View Related

Cisco Firewall :: Getting Any Traffic Out Of ASA 5505

Jul 24, 2011

We have a BT Infinity broadband circuit which terminates at a vdsl modem, I've plugged an ASA 5505 into the back of this modem and gone through the ADSM quick setup wizard (yes I'm that much of a beginner!) The config that's been generated is pasted below, the symptomns I'm seeing are;
 
The ASA is setup with PPPOE on the internet connection, I assume this is correct as if I do a show IP on the ASA I'm getting an IP address that has been assigned, if I change the password to the wrong one then I get no IP (as expected).
 
If I ping from the ASA to an internet connection I'm getting "no route" error messages, if I try a "ping outside x.x.x.x" then I get no repsonses.
 
The ASA can ping it's external IP, the client machines can ping it's internal, however nothing appears to be able to get out.
 
ASA Version 8.4(1)
!
hostname xxxxxx
enable password xxxxxx encrypted

[Code].....

View 15 Replies View Related

Cisco VPN :: ASA 5505 Split DNS Setup

Mar 2, 2011

I have an ASA 5505 configured using easy VPN connecting to our corporate ASA.  The ASA5505 is configured for network extension mode with a routable subnet.  The clients that hang off the ASA 5505 are DHCP and get their IP address and DNS settings from the ASA 5505.  I have a split tunnel setup, so only certain networks go over the tunnel back to corporate.  Local Internet browsing goes out the ASA 5505 to the ISP.
 
My questions is how to setup split-dns.  i would like to have my clients query the ISP's DNS servers for Internet based websites and when they need to access the exchange server the query goes to our corporate DNS servers.  I see a setting for DNS names under the group policy on the corporate ASA, but how does the client know which DNS server to use?
 
The clients receive a primary DNS server (ISP) and a secondary (Corporate DNS) from the ASA5505.

View 5 Replies View Related

Cisco Firewall :: ASA 5505 Throttling Traffic?

Apr 11, 2012

We have 110mbps internet service.  When we have the 5505 behind the cable modem, our speed drops to 55mbps or so.  If we remove the 5505, we see the full 100mbps.  I assume the 5505 can handle the speed; if so, what other things should I be looking at?As an aside, we used to have 50mbps wich worked fine, then the ISP upgraded to 60mbps and the through put dropped to 30mbps  (It always seems to be half)

View 2 Replies View Related

Cisco Firewall :: Traffic With 5505 Goes To High To Low

Jun 25, 2012

My understanding is for insight to outside we need global and NAT, and for outside to inside we need static and ACL? Traffic goes to high to low, I'm just start working with 5505 recently.

View 2 Replies View Related

Cisco Firewall :: ASA 5505 - VPN Up And Running But No Traffic

Oct 27, 2011

I have VPN up and running between two sites. Both sites have Cisco ASA 5505. I can ping across the devices from both networks. But I cannot remote into the servers on the other network.

View 8 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved