Cisco Firewall :: Asa 5510 Dual Isp

Jan 5, 2012

I have 2 Isp's connected to my Asa 5510 running 8.4.4 Ios. Can I route Dmz traffic out one Isp and my regualr traffic out the other Isp?

View 4 Replies


Cisco Firewall :: Dual DSL Lines For 5510?

Jun 13, 2011

My remote office staff are stating it takes "forever" to open simple work/excel files.I think forever really means more than 5 seconds.My main office has a 5510.  I have a brand new server in place here that my remote offices vpn into.
Those remote offices have 5505.
Each office has a dsl connection.  Their download speeds range from 7mb to 10 mb and their upload speed are 0.5 mb to 0.8 mb.My first thought was to add a second dsl line to my main office.  Then have dsl line #1 serve my main office and office 2.Then have dsl line #2 serve offices 3, 4 and 5.
Would this speed up the opening speeds of my remote offices?If so how challenging is adding the second dsl line into my 5510?

View 1 Replies View Related

Cisco Firewall :: ASA 5510 Dual ISP Configuration Required

Jul 13, 2011

I have existing Sonic FW in my company we are moving from sonic FW to ASA 5510 Security plus lice. I have two ISP currently connected to sonic Firewall I am planning to implement Dual ISP configuration on ASA5510.

View 12 Replies View Related

Cisco Firewall :: ASA 5510 Nat / Routing DMZ With Dual ISPs (4 Legged)?

Apr 11, 2013

I am in the process of configuring a ASA 5510 to replace an older PIX.  This change is part of migrating to a new ISP, so the process is complicated by the existence of two outside interfaces.  I have virtually everything working, but there is a requirement to be able to access hosts from the internal networks using both their private IPs and their public IPs.  The older PIX took care of this silently with little configuration, but the ASA has me twisted on the details.  Some of the hosts with public IPs are on the internal network and some are on a DMZ (not my design, inherited).  For the internal ones I implemented hairpinning to take care of the requirement, but I am having trouble with the DMZ based hosts.. Since there are two external interfaces each internal host has two IPs and two static NAT rules to handle incoming traffic from each external interface.
The routins and dynamic NAT entries we have in place take care of accessing the hosts using their private IPs on the DMZ, but I cannot figure out how to get the public IPs to work from the internal network.  It seems like a simple Static D-Nat shoudl do it, but when I add a Static D-Nat on the DMZ the public IP works, but the private IP breaks..  Is there a way to get them both to operate ?
Network layout looks like this (IP ranges altered):

DMZ Class C
Outside  Class C
Outside2  Class C


After applying it I could access the public IP ( from the internal network, but I could no longer access the DMZ IP ( from the internal network. Is there any way to get this configuration to allow access to both IPs from the internal network ?
The problem here is that there are website links based on the public IP and the DNS is split so DNS returns the internal IP to users. As a result both need to be accessible from the internal network.. Not my favorite design, but the client (or in this case the boss) is always right so I need to get it working somehow.

View 8 Replies View Related

Cisco Firewall :: 5510 / Dual ISP / Terminate Two Internet Links?

Aug 4, 2012

I have a 5510 with me. I want to terminate two Internet links on that. The primary Internet Leased Line to access my DC network using Site-to-Site VPN, and the secondary ADSL connection to access my other location network via VPN and and for web browsing. How can I achieve these goals.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 Dual ISP Active / Standby Fail Over

Apr 2, 2013

I have a dual ISP, 1 primary and 1 secondary terminated on fa0 and fa2 on our ASA respectively. ASA was configured so that, when the primary fails, the secondary kicks in.  [code]
It was until yesterday that we experienced downtime on the primary ISP that the secondary doesn't do the fail-over. I have to manually configure the device to use the secondary ISP. Currently, I'm looking at maybe this has something to do with the licensing.We are currently using a Base License, should we be upgrading to Security Plus?

View 10 Replies View Related

Cisco Firewall :: ASA 5510 - Dual Internet Connections / Routing DMZ Traffic

May 29, 2012

I am having an issue when implementing an additional internet connection on our ASA 5510. The new connection is "TWCOutside".  I was my understanding that static NAT would force our externally hosted servers (Email, PPTP VPN, and FTP) to continue to utilize the "ATTOutside" connection.  Our remote site-to-site VPN traffic has two static routes configured to force it to continue to use the ATTOutside connection.When I switch the metric on the route to 1, and change out default dynamic xlate to use "TWCOutside", it "mostly" works as expected.  Email, the PPTP VPN server, and our remote site-to-site VPN server continue to use the ATTOutside connection as designed.  Our end users begin using the new connection for thier internet browsing.
However, our FTP server, in the DMZ, completley loses outside access.  It cannot ping to, or resolve DNS queries.  The is a static NAT statement for this server, as it is using one of our dedicated public IP addresses.  I need it to continue to do so for the next few weeks.Effectivley, we just want to give our end users internet browsing on the new TWC link, but leave everything else on the old ATT link for the time being.  The only problem I am having is the DMZ connection.  I am currently "rolled back", so no one is using the new connection until I figure this out.  I can easily switch the metric and dynamic PAT back to using the TWC connection, but I need to have some things to try with the DMZ before doing so. [code]

View 2 Replies View Related

Cisco VPN :: ASA 5510 - Dual WAN Connections

Nov 29, 2011

Context:1- My company has one ASA 5510 configured with Site-to-site VPN, Ip sec Cisco VPN and Any Connect VPN.2- We use ASA to connect to the single ISP (ISP 1) for internet access. ASA does all the Na Ting for internal users to go out.3- A second link is coming in and we will be using ISP 2 to load balance traffic to internet (i.e. business traffic will go via ISP1 and “other” traffic will go via ISP2).4- A router will be deployed in front of the ASA to terminate internet links.5- No BGP should be used to implement policy (traffic X goes via ISP1, traffic Y goes via ISP2). Questions:How do I get this done, particularly, how do I tell the router, for traffic X use ISP1 and for traffic Y use ISP2? PBR is my friend?Since I will be having 2 public Ip Addresses from the 2 ISPs, how do I NAT internal users to the 2 public Ip addresses ?. Finally, which device should be doing the Na Ting? The ASA just like now or move Na Ting to the Router?

View 9 Replies View Related

Cisco VPN :: 1811 To ASA 5510 Dual Wan Vpn

Nov 9, 2011

i have two branch offices A & B both connected by a vpn. i am planning to add another isp on both the locations and have it just for the vpn. i.e have the second isp do just vpn and all other traffic go through the older ISP.. what are my options ? am not planning to add any extra hardware and also am not planning on acheiving any fail-over or load-balancing because i know ASA 5510 does not do load-balancing.

View 1 Replies View Related

Cisco :: Dual ISP On A 5510 With Static Nat To A Mail Server?

Sep 2, 2011

Only trying to have the mail server reachable via the secondary ISP link if the primary ISP link goes out. The public MX records with priority markings should make it so any outside hosts tries the first ISP address then the second ISP address if the first is unavailable. I would be using object tracking to control the default gateway in the ASA. I'm just a bit fuzzy on the NAT with a dual ISP config on single box.It shouldn't happen but... if traffic comes in on ISP2 while ISP1 is still up (and the current default gate) that traffic should return out the ISP2 interface (using the ISP2 address and avoiding asymmetric routing) since there already an existing connection present inside the ASA. Any server initiated traffic would still use the current default gateway defined via object tracking on the ASA.

View 1 Replies View Related

Cisco WAN :: 5510 Dual ISP Load Balance And Backup For Each Other

Mar 4, 2011

I have two ISP circuits and the following devices in hand:

1.   Cisco ASA 5510
2.   Cisco 2800 router
3.   Cisco 3750 switch

I've finished a part of the configs on above equipments, please refer to the attached diagram.And I'm making a test in order to achieve the below features:

1. By default, packets from PC1 go out through ISP 1. Packets from PC2 go out through ISP 2
2. When ISP 1 is down, packets from PC1 changed its way to ISP 2 through the 2800 router. And when ISP 2 is down, Packets from PC2 changed its way to ISP 1 through ASA 5510.

View 2 Replies View Related

Cisco VPN :: ASA 5510 With Dual ISPs Split Traffic Between VPNs And Internet

Jul 1, 2011

I need to know how to setup my ASA with dual wan links. 1 is 10/10 fiber, other will be a 50/5 Cable Wideband link. The 10/10 fiber is currnetly being used for VPN's and Internet, (about 20 point to point IPSEC vpn's currently).
I want to add the Wideband link and use the "Tunneled (Default gateway for VPN traffic)", feature for the current fiber link and the new Wideband link for any other internet traffice. I tried this however as soon as I set my fiber link to "Tunneled (Default gateway for VPN traffic), I lost all connectivity.
I also setup my "VPN" link with the "tunneled" option and my "INTERNET" link with a default route to the internet. This would only let me ping internet sites from the ASA device but not from client computers, also the VPN's would not come backup.
I have tried the sla setting with a DSL line for failover and that works good, i've since got rid of the DSL and want to utilize 2 wan links for different purposes/traffic.
ASA 5510, SSM-10      1GB RAM
ASA version                8.4(1)
ASDM Version            6.4(3)
Context Mode            Single
FW Mode                  Routed
License                     Security Plus

View 5 Replies View Related

Cisco Firewall :: Dual NAT With ASA 8.2?

Dec 13, 2012

i am trying to configure Dual NAT (source and destination) with multiple subnets in the source, i am trying to figure out how to accomplish this with 8.2 ASA ,
Original source


View 6 Replies View Related

Cisco Firewall :: Dual ISP On ASA 5505?

Oct 9, 2012

My client is transitioning to a new ISP and want to migrate there web servers in stages.  therefore they would like to keep some servers running on the old ISP and some servers use the new ISP.
I have set this up in a lab and keep running into routning issues (I am using 5510 for the lab as I do not have a 5505 available). I know that ASA's don't support PBR.  Is there any way or trick to get this to work on the ASA?
I have a feeling this is not possible and we would need to get another ASA or a Router to get this to work.        

View 1 Replies View Related

Cisco Firewall :: Use Dual ISP's With ASA5505?

Oct 1, 2010

for the purpose of a redundency, incase the primary ISP goes down the backup kicks in.Can this be done with the basic license (max 3 vlans) or you need to have the security plus license. (20 vlans) Currently not using the 3rd vlan (dmz)

View 5 Replies View Related

Cisco Firewall :: Dual ISP On ASA 5505

May 28, 2012

I need to configure my asa as follows: Two active ISP´s, one(ISP1) for outbound traffic (normal internet traffic) and the other one for inbound traffic(ISP2), http to a web server in the inside network. I have two default routes, one pointing to ISP 1 with metric 1 and the other to ISP2 with metric 2. I perform dynamic nat to ISP1 interface with hosts in the inside network and static nat to ISP2 interface with web server.

View 1 Replies View Related

Cisco Firewall :: Dual ISP With Nat On ASA5510 V8.4

Sep 30, 2012

At the moment we want to connect the ASA on two seperate internet connections . We create one LAN interface and two WAN interfaces. Now we want to create nat rules nat our outgoing traffic. After some research and testing (on a 8.0(4) asa) we have it working.

But now we want to implemate it on our ASA, but it works a lot differerent. I can't create a nat pool (at the 8.0(4) i can assign the second interface to the existing pool) wit two interfaces,

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Dual ISP

Mar 12, 2011

I have Cisco ASA 5520 . I want to deploy this in the following scenario. Two ISP( for internet) links are connected in the ASA. Three  zone ( Outside , DMZ , Inside) specified on the ASA.In DMZ , there are two proxy server ( proxy 1 , proxy 2) . Branch user will use proxy server 1 and Head office will use proxy 2. 
In the above scenario management requirements are, Proxy 1 will use ISP 1 and proxy 2 will use ISP 2.If ISP 1 goes down then proxy 1 will use ISP 2 for internet. Please suggest me how I will configure the ASA in the above requirements or if possible send me the configuration.

View 3 Replies View Related

Cisco Firewall :: Configure Dual ISP On 5505 8.4

Mar 27, 2013

I am attempting to set up failover dual ISP on a 5505 running 8.4(4) with the Sec Plus  license. Everything i have been able to reference so far, points to old commands not available or relevant in 8.4
For instance:
global (backup) 1 interface
global (outside) 1 interface
nat (inside) 1
route outside 1
route backup 10
What is the new syntax that should be used to mimic these commands?  I have the sla and trach reachability configuration already set up.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 With Dual ISP And 2 Networks

May 7, 2013

I would like to configure a Cisco ASA 5505 with Dual ISP (ISP 1 and  ISP2) and two networks (network 1 and network 2). My customer need that  clients in the network 1 connect to Internet with ISP1 and clients in  the network 2 connect with ISP2. If a failure occurs in ISP1 (just an  example) the network 1 clients connect with ISP2.

View 10 Replies View Related

Cisco Firewall :: ASA 5520 Dual ISP Feature

May 31, 2013

I would like to knwo if i have dual ISP feature with my ASA 5520 licence? With ASA 5505 i can see Dual ISP feature but with ASA 5520 it's not!

View 3 Replies View Related

Cisco Firewall :: ASA5510 Dual ISP And VPN On Backup

Dec 19, 2012

ASA5510 ios v8.4.I've setup dual ISPs and I'm trying to get ipsec VPN client access to work on the backup interface (outside-backup). The goal is to have outbound traffic on the inside subnet NAT'd through the main interface (outside) while inbound ipsec VPN clients connect and operate off of outside-backup.crypto map is applied to 'interface outside-backup,' however clients are unable to connect. If I switch the default route to go through outside-backup everything starts to work again.

View 1 Replies View Related

Cisco Firewall :: Dual ISP And Inbound NAT ASA5505 8.2

Oct 30, 2012

I have setup an ASA5505 running 8.2 with dual ISP's
Primary link is the current live static route out and the backup picks up if the primary fails. That all works great However I have an issue with inbound NAT rules
I have configured an inbound static on the primary which works great
static (inside,primary) *.*.*.* netmask access-list outside_access_in line 2 extended permit tcp any host *.*.*.* eq 3389 (hitcnt=4)
Question? With the primary link active and the default route pointing out through the primary, am I able to configure an inbound NAT to the same inside host
on the backup link?
If the primary fails users will need to be able to connect inbound to this service
When I try to set it up I got this error ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
So I tried that and got this error WARNING: All traffic destined to the IP address of the backup interface is being redirected. WARNING: Users will not be able to access any service enabled on the backup interface.
So what is the best practice for configuring inbound NAT for a dual ISP configured ASA

View 1 Replies View Related

Cisco Firewall :: ASA5505 - Dual ISP With ASA And Dynamic IPs On Outside?

Jun 3, 2012

I have a site with an ASA5505 and 2 isp connections but the catch is the 2 isp's are giving me a dynamic IP so I am unable to use this [URL]

View 3 Replies View Related

Cisco Firewall :: ASA 5505 Security Plus Dual ISP

Apr 5, 2010

I have an ASA5505 with Security Plus license so I can have many interfaces (not 2 + 1 limited DMZ like in base license)
I have 2 VLANs.Is it possible to use one ISP for VLAN 1 and other for VLAN 2 ? Is it limited to 2 ISP's or can have more ?

View 14 Replies View Related

Cisco Firewall :: Create A Dual DMZ In ASA5510?

Feb 29, 2012

I want to create a Dual DMZ in a ASA5510 however it is not like I used to in ASA5505?In ASA5505 I create a Outside, Inside and DMZ VLAN and there after add the interfaces into the VLAN.This way I can have two DMZ interfaces, but how do I do it in a ASA5510?

View 1 Replies View Related

Cisco Firewall :: ASA 5505 / Dual WAN For Different Services?

Sep 18, 2012

I have ASA 5505 ver, 8.4(1) I have configured 2 WAN links to

1. Outside1 - distance metric 50
2. Outside2 - distance metric 20
Currentry all traffic is passing thru Outside2 and it's correct, also s2s and ra VPN is also running on Outside2 ?My current case is to use Outside1 for webvpn services only. I can't use Outside2 becouse on 443 port other services are running, also I cant change webvpn port to other.
How can I match packets incoming to interface Internet1 from Interner side nad route them back thru Internet1 interface.
IPSLA is not a good solution becouse I need to have both WAN links used Now in routing table I have only onre record

S* [20/0] via x.x.x.x, INTERNET2

for link with lower metric, but after some problems with provider for link Internet2 routing has changed for Internet1 and didn't change it back after resolving problem? how to create it for all traffic incoming for Internet1 interface from outside?

View 1 Replies View Related

Cisco Firewall :: Dual ISPs On ASA 5505

Dec 5, 2011

We have a cisco ASA 5505 with sec bundle plus
We have two ISP's:
ISP1 (Our IP =, gateway
ISP2 (Our IP = dynamic, gateway - ADSL 
Our internal LAN IP range is
We want to configure the ASA 5505 to allow users via ISP2 for http traffic We then want to use ISP1 for strictly VPN and access to internal web resources (eg OWA) as we have public IP's there.
Our idea was to configure two gateways on the ASA (e.g. via ISP2 and via ISP1)
Then give the users gateway for web browsing etc Is this configuration possible on the ASA 5505?

View 4 Replies View Related

Cisco Firewall :: PIX515 6.3.3 - Configure Dual ISP On Two Interfaces?

Jul 4, 2011

I have a pix515 v6.3.3. Is it possible to configure dual ISP on two interfaces and have redundancy between them?

View 1 Replies View Related

Cisco Firewall :: ASA 5520 For Dual Active ISPs

Dec 14, 2011

I inherited a network redesign project mid implementation and ran across an issue that I was not 100% sure able to be resolved.  Implementation is occurring in which the organization is changing over to a different ISP and we have some customers that will not be able to change their settings over to our new addresses from some time.  I have seen a lot of posts about fail over and dual ISP configurations, but I could not relate them to this particular scenario.

View 3 Replies View Related

Cisco Firewall :: ASA 5505 Dual WAN Settings Required

Feb 27, 2012

I have a 5505 configured with a active/standby dual wan setup using the sla tracked connection settings. Is there a way to configure the ASA to stay on the backup connection after activating? We had a situation where the main T1 was bouncing, so the backup connection was being activated and deactivated very often. The problem is that there is an app being used that does not allow users to reconnect to dropped connections immediately, so every time the asa switches wan connections it causes a significant disruption.I should note that I already set monitor options frequency to 240 seconds. I could set it higher, but then we have a longer delay when the main connection dies.

View 2 Replies View Related

Cisco WAN :: Require Dual WAN But Not Necessarily Firewall ASA 5505

Feb 9, 2012

I have a small office with about 20 people.  I currently have a T1 line which feeds a Cisco ASA 5505.  I would like to replace the T1 line with two (2) ADSL lines.  I need a dual WAN switch/load balancer.  I researched a bit and found that Cisco RV042 will probably work for me even though I don't need another VPN and would have to disable it.
My question:  Is there anothe device from Cisco or others which will give me the dual WAN and load balancing but not the VPN piece.  My assumption is that it would be a less expensive device if such an animal exists.

View 2 Replies View Related

Cisco Firewall :: ASA5510 V8.4 Dual ISP And Port Forwarding?

Dec 17, 2012

I'm looking for an example config of how to run dual ISPs while doing port fowarding for one of the publicly facing IPs. This is on 8.4 so

View 1 Replies View Related

Copyrights 2005-15, All rights reserved