ASA 5505 Dual Wan 1

[msteinblock]

I currently have two ISP connections, one Cable, one DSL. We are having a lot of problems with the cable and would like to get rid of it. I cant justify going with a full T1, so I am thinking about going with a second DSL line. I currently have an ASA 5505 on one line, and a Sonicwall TZ170 on the other. Is there any benefit with combining both ISPs on one machine (ASA 5505)? Are there any load balancing capabilities or benifits there? Or should I stay with two separate firewalls for each line?

Thanks in advance?

 

[brianinms]

An asa has no load balancing features.

 

[msteinblock]

Thanks for the info. I did not know if it had those capabilities or not. With that said, are there any good or bad reasons to combine WAN connections on one firewall?

 

[NetworkGhost]

Sounds like your looking for the job of a actual load balancer or a router. With Policy Based Routing you could implement what your looking for with ease. Or even do a per packet load balancing which would only work for egress traffic.

The benefit to using the ASA is that you get rid of the sonicwall

Are you looking to get more bandwidth out of a virtual single pipe or are you wanting to distribute classed traffic?

EX: VPN over pipe A. HTTP, FTP SMTP over pipe B

http://www.wr-mem.com

 

[msteinblock]

Thanks for the reply. Load balancing is not so much priority. I was just curious as to whether it would be worth the effort to reduce the number of hardware...one firewall vs two. One connection uses primarily uploading while the other is for our general internet use/email server. I thought if it was possible to combine the upload speeds and download speeds. Even if all I can do is eliminate the sonicwall and not gain any load benefits, would be be better for just one hardware?

 

[NetworkGhost]

If I was in your position I would look at consolidating to one FW and keep the sonicwall on the rack as a spare.

A router should be able to combine the 2 connections but unless you have one ISP with both of the lines then you wont be able to do one virtual pipe.


With PBR you could make traffic destined to and from network X travel over the appropriate DSL line. You could use the ASA to fune tune what goes where by tweaking you NAT config.

http://www.wr-mem.com

 

[msteinblock]

Actually both connections are from the same ISP. As soon as I get the second DSL line, I will try to get both to use the ASA. I assume I would also have to connect another LAN connection as well? I currently have three lines coming in. LAN, WAN, VLAN. I would have to add an additional LAN (set to different local IP) as well as an additional WAN, giving me five total connections, correct?

Thanks

Matthew

 

[NetworkGhost]

If you terminate both on the ASA that would only work for Backup. You have to terminate to a router to make this work effectively. The ASA can only have one Active Default Route.

http://www.wr-mem.com

 

[msteinblock]

Which is better, the ASA 5505 or the Sonicwall TZ170? I am looking at this documentation, which is what I want to do.

http://sonicwall.com/downloads/Configuring_WAN_Failover_SonicOS_Enhanced.pdf

Looks like I can share two ISP connections in a load balancing scenario with the TZ170.

 

[NetworkGhost]

Which is better? The ASA of course , but the sonicwall features look to match up with what you may want. Although it looks like is doesnt support source based routing which is probably what you would want ultimately in the future.

http://www.wr-mem.com

 

[msteinblock]

My problem is I understand the Sonicwall, I have used them for years. The Cisco stuff is a little hard for me to grasp, I have only had this for a month, and someone else configured it. I am not confortable configuring it as of yet. Thanks again for all the info....

 

[NetworkGhost]

A good book to get if you are interested in the "Cisco ASA and PIX Firewall Handbook". Will give you a good understanding of how the ASA works and how to configure. Good Book.

http://www.wr-mem.com