| In this article I will explain how to configure a Cisco | | | | ASA5505(config-if)# switchport access vlan 1 |
| ASA 5505 firewall to connect to dual ISPs for | | | | ASA5505(config-if)# no shutdown |
| redundancy purposes. Suppose that we have a | | | | ASA5505(config)# interface ethernet 0/2 |
| primary high-speed ISP connection, and a cheaper | | | | ASA5505(config-if)# switchport access vlan 3 |
| DSL line connected to a Secondary ISP. Normally all of | | | | ASA5505(config-if)# no shutdown |
| our traffic should flow through the primary ISP. If the | | | | ASA5505(config)# interface vlan 1 |
| primary link fails, the secondary DSL connection should | | | | ASA5505(config-if)# nameif inside |
| be utilized for Internet access. Please note that the | | | | ASA5505(config-if)# security-level 100 |
| above scenario is valid only for Outbound traffic (i.e. | | | | ASA5505(config-if)# ip address 192.168.1.1 |
| from our internal network towards the Internet). The | | | | 255.255.255.0 |
| functionality that I will describe below works for ASA | | | | ASA5505(config-if)# no shutdown |
| 5505 version 7.2(1) and above. | | | | ASA5505(config)# interface vlan 2 |
| Assume that we are assigned a static Public IP | | | | ASA5505(config-if)# nameif primary-isp |
| address of 100.100.100.1 from Primary ISP and another | | | | ASA5505(config-if)# security-level 0 |
| static Public IP address of 200.200.200.1 from our | | | | ASA5505(config-if)# ip address 100.100.100.1 |
| Backup ISP. We will use Ethernet 0/0 for connecting to | | | | 255.255.255.0 |
| Primary ISP, Ethernet 0/1 for connecting to our Internal | | | | ASA5505(config-if)# backup interface vlan 3 |
| LAN, and Ethernet 0/2 for connecting to our Backup | | | | ASA5505(config-if)# no shutdown |
| ISP. We will create three VLANs to support our | | | | ASA5505(config)# interface vlan 3 |
| configuration. VLAN1 (the default Vlan) will be assigned | | | | ASA5505(config-if)# nameif backup-isp |
| to Ethernet 0/1 (inside), VLAN2 will be assigned to | | | | ASA5505(config-if)# security-level 1 |
| Ethernet 0/0 (primary-isp) and VLAN3 will be assigned | | | | ASA5505(config-if)# ip address 200.200.200.1 |
| to Ethernet 0/2 (backup-isp). We also have to | | | | 255.255.255.0 |
| configure two static default routes pointing to the ISP | | | | ASA5505(config-if)# no shutdown |
| gateway address. The primary ISP default route shall | | | | ASA5505(config)# route primary-isp 0.0.0.0 0.0.0.0 |
| have a metric of 1 and the backup ISP default route | | | | 100.100.100.2 1 |
| shall have a metric bigger than 1 (let's say 2). Let us | | | | ASA5505(config)# route backup-isp 0.0.0.0 0.0.0.0 |
| see the configuration below: | | | | 200.200.200.2 2 |
| ASA5505(config)# interface ethernet 0/0 | | | | You can DOWNLOAD a complete Step-By-Step |
| ASA5505(config-if)# switchport access vlan 2 | | | | configuration tutorial for ANY Cisco ASA 5500 |
| ASA5505(config-if)# no shutdown | | | | Firewall Here. |
| ASA5505(config)# interface ethernet 0/1 | | | | |