| article I will explain how to configure a Cisco ASA | | | | ASA5505(config)# interface ethernet 0/1 |
| 5505 firewall to connect to dual ISPs for | | | | ASA5505(config-if)# switchport access vlan 1 |
| redundancy purposes. Suppose that we have a | | | | ASA5505(config-if)# no shutdown |
| primary high-speed ISP connection, and a cheaper | | | | ASA5505(config)# interface ethernet 0/2 |
| DSL line connected to a Secondary ISP. Normally | | | | ASA5505(config-if)# switchport access vlan 3 |
| all of our traffic should flow through the primary | | | | ASA5505(config-if)# no shutdown |
| ISP. If the primary link fails, the secondary DSL | | | | ASA5505(config)# interface vlan 1 |
| connection should be utilized for Internet access. | | | | ASA5505(config-if)# nameif inside |
| Please note that the above scenario is valid only | | | | ASA5505(config-if)# security-level 100 |
| for Outbound traffic (i.e. from our internal | | | | ASA5505(config-if)# ip address 192.168.1.1 |
| network towards the Internet). The functionality | | | | 255.255.255.0 |
| that I will describe below works for ASA 5505 | | | | ASA5505(config-if)# no shutdown |
| version 7.2(1) and above. | | | | ASA5505(config)# interface vlan 2 |
| Assume that we are assigned a static Public IP | | | | ASA5505(config-if)# nameif primary-isp |
| address of 100.100.100.1 from Primary ISP and | | | | ASA5505(config-if)# security-level 0 |
| another static Public IP address of 200.200.200.1 | | | | ASA5505(config-if)# ip address 100.100.100.1 |
| from our Backup ISP. We will use Ethernet 0/0 | | | | 255.255.255.0 |
| for connecting to Primary ISP, Ethernet 0/1 for | | | | ASA5505(config-if)# backup interface vlan 3 |
| connecting to our Internal LAN, and Ethernet 0/2 | | | | ASA5505(config-if)# no shutdown |
| for connecting to our Backup ISP. We will create | | | | ASA5505(config)# interface vlan 3 |
| three VLANs to support our configuration. VLAN1 | | | | ASA5505(config-if)# nameif backup-isp |
| (the default Vlan) will be assigned to Ethernet 0/1 | | | | ASA5505(config-if)# security-level 1 |
| (inside), VLAN2 will be assigned to Ethernet 0/0 | | | | ASA5505(config-if)# ip address 200.200.200.1 |
| (primary-isp) and VLAN3 will be assigned to | | | | 255.255.255.0 |
| Ethernet 0/2 (backup-isp). We also have to | | | | ASA5505(config-if)# no shutdown |
| configure two static default routes pointing to the | | | | ASA5505(config)# route primary-isp 0.0.0.0 0.0.0.0 |
| ISP gateway address. The primary ISP default | | | | 100.100.100.2 1 |
| route shall have a metric of 1 and the backup ISP | | | | ASA5505(config)# route backup-isp 0.0.0.0 0.0.0.0 |
| default route shall have a metric bigger than 1 | | | | 200.200.200.2 2 |
| (let's say 2). Let us see the configuration below: | | | | DOWNLOAD the best step-by-step configuration |
| ASA5505(config)# interface ethernet 0/0 | | | | tutorial for any Cisco ASA 5500 Firewall model |
| ASA5505(config-if)# switchport access vlan 2 | | | | Here. |
| ASA5505(config-if)# no shutdown | | | | |