ASA/PIX: Load balancing between two ISP - options

Transcription

1 ASA/PIX: Load balancing between two ISP - options Is it possible to load balance between two ISP links? on page 1 Does the ASA support PBR (Policy Based Routing)? on page 1 What other options do we have? on page 1 SLA Route Tracking on page 1 PBR on the router outside the firewall on page 2 Allowing outbound via ISP1 and inbound via ISP2 on page 4 Multiple context mode on page 5 Is it possible to load balance between two ISP links? Presently it is not possible to load balance traffic between two ISP links on an ASA. The reason being, there can only be one default route configured on the ASA. Does the ASA support PBR (Policy Based Routing)? No, the ASA does not support PBR. What other options do we have? SLA Route Tracking With this method we can configure both the ISP links on the ASA and use the primary ISP for all outgoing traffic and then the secondary ISP, if the primary fails. Failure of the primary 1

2 ISP causes a temporary disruption of traffic. Use this configuration for redundancy or backup purposes only. Refer this link: products_configuration_example09186a00806e880b.shtml PBR on the router outside the firewall With this method we can configure both the ISP links on the router outside the firewall. We can translate some traffic to use Primary ISP provided IP address and the rest of the traffic to use Secondary ISP provided IP address. Now, based on this source address that hits the router, we can configure the router to do policy based routing and route the traffic either via the Primary ISP or via the Secondary ISP. Let us assume the requirement as below: 1. We would like all the users traffic translated to the ISP1 provided address 2. We would like all the servers traffic translated to the ISP2 provided address 3. The router should look at the translated addresses and based on the address it should set the next hop address and route the traffic via the appropriate ISP. 2

3 ISP1 provided address block is /24 and ISP2 provided address block is /24. These are not routable addresses. For simplicity reasons we are using RFC 1918 address space. ASA config: Translation for all users to take ISP 1 nat (inside) global (outside) Translation for web and servers to take ISP2 static (inside,outside) netmask static (inside,outside) netmask route outside Router config: ip access-list ext isp1-addr permit ip any ip access-list ext ips2-addr permit ip any route-map ISP permit 10 match ip address isp1-addr 3

4 set ip next-hop route-map ISP permit 20 match ip address isp2-addr set ip next-hop int f0/0 ip address ip policy route-map ISP in Allowing outbound via ISP1 and inbound via ISP2 Let us take the same example above. We can use one ISP1 for all outbound connections and use IPS2 for all inbound connections. Translation for all outbound connections from users and servers to take ISP 1 nat (inside) global (ISP1) route ISP Here are the translations for inbound connections to the servers: Translation for web and servers to take ISP2 static (inside,isp2) netmask static (inside,isp2) netmask

5 In the previous case even the out bound connections made by the servers would take the ISP2 path but, in this example outbound connections from the web and servers will take ISP1. ONLY the INBOUND connections will come through ISP2 and will be responded back using ISP2. Multiple context mode The last option is to use multiple context mode where we can load balance on a per context basis. VPN is not supported in this mode and so are dynamic routing protocols. Please refer this link for the limitations: configuration/guide/contexts.html#wp Context-1 could use ISP1 link and Context-2 could use ISP2 link. 5