Friday 22 September 2017

Cisco ASA dual ISP for incoming traffic

Requirement

If we are using Public IP address provided by ISP1 and ISP2, and wants to make both public links active at a time.


For this purpose , we can use Traffic zones so that we will be able create two default routes.

Outbound Traffic- Load balanced across two ISPs, We should do tracking as well to identify failed routes

Inbound Traffic - ASA will return the traffic through the same interface it is coming from.

Additional requirement-   Secondary or Additional IP address in Public (dmz/inside) server


Example.

Topology
R3 is the remote user
R1 - ISP1 Router
R2- ISP2 Router
ASA- Customer side ASA
R4- Internal or DMZ public server with 2 ip address

Configuration required in ASA

1. Traffic zones

config mode-
zone ISP
zone Internal

Interface mode

zone-member ISP // for both ISP interfaces

2. Routes

route outside1 0.0.0.0 0.0.0.0 192.168.3.2 1
route outside2 0.0.0.0 0.0.0.0 192.168.4.2 1

You may need to create tracking for above routes.

3. NAT

nat (inside1,outside1) source static inside1_192.168.100.100 public1_1.1.1.1  ( NAT for primary IP)
nat (inside1,outside2) source static inside2_192.168.100.101 public2_2.2.2.2  ( NAT for secondary/additonal IP through seondary ISP)
nat (inside1,outside1) source dynamic inside1_192.168.100.100 interface
nat (inside1,outside2) source dynamic inside1_192.168.100.100 interface


pm me if you need any help

Please note: Alternate option is use Policy based routes in ASA, so if ip address in secondary , then we can set next hop to secondary IP.