total_noob
@co.cr
|  [Config] Can I configure an ASA5505 to load balance with dual IS
We have an ASA5505 configured to use our DSL connection, which is only 512KB (cost is the issue; we are a non-profit with a small budget). We would like to add a second internet connection (3MB cable connection, cheap) and would like to do so with our existing hardware. Ideally, we would like to limit voip and vpn traffic to our existing connection and route all http/ftp/etc. traffic through the cable connection. Right now, any time someone in our little office decides to download something, it kills the rest of us, especially voip traffic. I've tried adding QoS priority for voip traffic and ended up putting an FTP download choke in place to try to preserve voip clarity and some bandwidth for others.
I'm almost a total noob to this device (and cisco device management in general) and would like to know if this is possible, and if so, how to go about it. Any help would be greatly appreciated.
- Henry |
|
total_noob
@co.cr | Re: [Config] Can I configure an ASA5505 to load sharing with dua
Can anyone tell me whether this is even possible?
Anyone? |
|
aryoba
Premium,MVM
join:2002-08-22 | Can you post more details? I'm looking for source and destination IP addresses and/or subnets of these VPN, VoIP, HTTP, FTP, and all other traffic. |
|
total_noob
@co.cr
| Hi. Thanks for taking the time to try to help me out. We are in Costa Rica and acting as a branch office from our "headquarters" in the US and we use the vpn for secure communications between the offices (email, file upload/down to production server, domain authentication (via local server)). We use asterisk internally for our phone system which maintains a SIP connection with Junction Networks for our long distance communications in the states. The rest of the traffic is just "regular user" traffic (http, ftp, IM, skype, etc.)
What I would like to do is add the second connection and router all of the "regular" traffic through that connection and leave the vpn connection and SIP traffic on our DSL connection.
Thanks again for any help you can provide.
- Henry
I am a bit reluctant to post any specifics about IPs and VPN data as we are just users and not in control and I wouldn't want to be responsible for disclosing too much information. Internally we are NAT'd and running in the 192.168.x.x address schema. |
|
aryoba
Premium,MVM
join:2002-08-22
| Without seeing your IP address scheming, it's hard to tell what routing design is needed. Therefore I could probably provide only general comments 
When the VoIP, HTTP, and FTP machines (either user/subscriber or the server) are physically separated; then you should be able to set routing decision which source IP address to reach specific destination IP address through specific connection. If there are some machines that need to connect both HTTP and FTP server let's say, then you also have to set routing decision based on the TCP or UDP port numbers.
Whichever direction you take, make sure that both end configuration (your end at Costa Rica and the other end at the US) must match. Otherwise, there will be some unexpected behavior such as asymmetric routing and service performance degradation. |
|
cramer
join:2007-04-10
Raleigh, NC
 ·AT&T Southeast
edit:
August 11th, @01:33AM
| reply to total_noob
Re: [Config] Can I configure an ASA5505 to load balance with dua
I do something very similar to what you are asking to do. However, I do it with a Pix 520 (old 3u beast.) I'm not sure you can do this with just a 5505. To quote Cisco, it's a firewall not a router (or load balancer.) The "SEC" model might allow enough vlans to rig it up. The base license only allows an inside, outside, and restricted DMZ (blocked from one of the other two nets.) It certainly doesn't have any load balancing logic; traffic will go where the route table says.
My network consists of 2 internal networks, a DMZ, and 3 ISPs links. The internal networks are 2 vlans on the "inside" interface -- "lan" at lvl 100, and "lab" at lvl 99. The DMZ is it's own NIC. The "outside" links are 3 vlans on one nic... 2 = DSL (end of the universe backup), 3 = T1, and 4 = DS3... all at lvl 0. Site-to-Site VPNs are nailed to the T1. VPN clients can connect to any interface, but because of the lack of hairpin capability, VPN users connect to a seperate pix 501 (on the DS3.)
[Note: my pix520 setup runs into a lot of limitations that don't exist for the ASAs.] |
|
total_noob
@co.cr
| Changing the question....
Thanks for the replies. I've come to realize that this isn't possible with just the 5505 and that I need a router in front of it. Any recommendations on a router and how to configure it?
Again, we have a 512K DSL line that I would like to retain for the vpn that we maintain to our home office (we are on their domain and host a domain controller in our office, connect to Exchange in their office, etc.). I occasionally access our network from home using a vpn as well. Inside we are running three servers on a 192.168.x.x network: the aforementioned domain controller, a phone server (trixbox with a IAX connection to the states using Junction Networks), and a development server. We have several public IPs, two of which are routed to the phone and dev servers.
I would really like to make this work as it would benefit everyone in the office, so I am appreciative of any help you can provide. |
|
aryoba
Premium,MVM
join:2002-08-22
| Did you know that IPSec VPN in general is not a good approach for VoIP, especially over DSL line? Not to mention that this will be a IPSec VPN tunnel between Costa Rica and US.
By deploying IPSec VPN in such environment, your connection is pretty much at the mercy of your telco, ISP, and transit ISP. Yes, it is cheap solution; however in general it won't be reliable solution.
If you prefer to have better reliability, then you might want to consider MPLS. |
|
cramer
join:2007-04-10
Raleigh, NC
·AT&T Southeast
| said by aryoba  :your connection is pretty much at the mercy of your telco, ISP, and transit ISP. No matter how you slice it, he's going to be dependant on them. The problem is not the VPN, it's the INTERNET. I have lan-to-lan VPNs cross the US and across the atlantic; they work just fine. |
|
total_noob
@co.cr
| reply to aryoba
said by aryoba :Did you know that IPSec VPN in general is not a good approach for VoIP, especially over DSL line? No. Am I actually sending VoIP traffic over my VPN if they are on different public IPs? Since there is the DSL line has a minimum level of service, my desire would be to route VoIP traffic over the DSL line rather than the cable line, or shouldn't I bother to be concerned about this and look to configuring only VPN traffic over DSL and everything else through the cable connection?
I'm really struggling to understand how to improve overall speed, retain VoIP quality and stay within our financial capabilities. Am I aiming at an impossible target?
Don't get me wrong, I appreciate the help, but as stated before, I really don't know all that much about networking (I'm a programmer by background) and I am trying to understand. |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Atlanta, GA |  reply to total_noob
(topic move) [Config] Can I configure an ASA5505 to load balance
Moderator Action
The post that was here (and all 1 followups to it), has been moved to a new topic .. »[Config] Two ISPS that constantly need to be active |
|
