Duel WAN link ER605v2 Cisco ASA 5520
There is an old post on this but not able to find the answer in question, i will have two ISP WAN connections from this I am trying to link the ASA 5520 that has three interfaces Outside (connection of single ISP) Inside (connection of all VLAN HP switch), DMZ VLAN for Hosted Web Servers (inside traffic).
I can configure the WANS with no issues but trying to understand that one of the LAN ports (4) would need to direct back to the Outside Interface of ASA
Here is what I am trying to cover, but when I make a link from LAN Port 4 to Outside Interface on the ASA 5520 it pings but when I cover a test route it does not complete in the desired number hops, I have trued to Add Route but some options are not that clear.
The LAN port does require a VLAN tag and used 2 for this as it does not exist on my existing network and did not want conflicts and in it self is not seen on Existing LAN
Please if any one has covered this could you please provide details with DIA or point to any YouTube video that has done alike connection on main core router.
Does TP-Link have any supporting documentation, I work within a school and hope to pass this information on further to other schools UK based.
Thanks for your support.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
If I understand you correctly, you want to use an ER605 in front for WAN failover, isent it easyer with WAN failover on Cisco ASA,
- Copy Link
- Report Inappropriate Content
The Cisco ASA 5520 can do failover but I have inline two ISP 1GB that wish to load balance, mentioned this on the dia not in my statement, my thinking the ASA sees the Outside as a link been looking over our existing ASA working on one ISP to understand more, you can enable DNS on interfaces that may need resolve.
Routing should work as it should be no more than an internal vlan switch placed internal.
hope to use the tools trace route ping from one interface to other see where it fails.
what I do not understand is setting of interfaces
outside 0.0.0.0 0.0.0.0 IP address for ISP
when I try to create another interface
VMoutside 0.0.0.0 0.0.0.0 ip address from Virgin Media.
it fails on configuration saying conflict on other interface.
I need to check on this if it was used else where on the Cisco ASA, looked but could not find any other referance
But in this post you can configure interfaces with 0.0.0.0 0.0.0.0
ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example - Cisco
As here using track as failover
!--- NAT Configuration for Outside and Backup route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1 !--- Enter this command in order to track a static route. !--- This is the static route to be installed in the routing !--- table while the tracked object is reachable. The value after !--- the keyword "track" is a tracking ID you specify. route backup 0.0.0.0 0.0.0.0 10.250.250.1 254
think the track is missing on 254
- Copy Link
- Report Inappropriate Content
Cisco ASA doesn't have load balancing, I don't know if it works that well on TP-Link either, but I don't understand why you want to set up failover on Cisco ASA if you're going to use the ER605 as a load balancing router, can't you just connect Outside on Cisco to Inside on TP-Link
as I see it, there is not much to do on the Cisco ASA, you just have to make sure that the ASA and ER605 can communicate from the Outside interface to the Inside on the ER605
And ER605 will handle the load balancing.
If you are only going to have failover wan, it is better to use only Cisco ASA, it has faster and better failover than ER605
- Copy Link
- Report Inappropriate Content
That is correct want the TP er605 to cover load balancing and leave the ASA 5520 as is, working on the spare ASA and trying the interface from the outside - tp link lan on subnet with only two hosts.
Use one subnet from this selection, will see what gives.
172.16.50.0/31
172.16.50.14 172.16.50.15
172.16.50.14
- Copy Link
- Report Inappropriate Content
If you use /31 mask 172.16.50.14 172.16.50.15 is only network and braodcast address try /27 (255.255.255.224)
- Copy Link
- Report Inappropriate Content
Managed to get a connection working from ASA 5520 to ER605 > Internet
In the image you can see on LAN port 4 on ER605 goes to OutSide interface on ASA green cable port 0 and Inside ASA port 1 goes to internal network. (HP Core - HP Switch )
But get an error on DNS from connection on inside from the ASA but if I connecth laptop it picks up dhcp on VLA N 2 and shows result from nslookup www.google.com
The inside ASA interface can ping 8.8.8.8 but on host it fails with hoat unkown and nslookup fails on time out.
Its an issue on DNS reverse lookup as this is test of concept the ASA does not have internal Windows DNS as on live productionn site.
- Copy Link
- Report Inappropriate Content
Have you configured dns on your ASA ? Try ping somthing with name from console on your ASA
or configure ASA dns with this command
dns domain-lookup outside
DNS server-group DefaultDNS
name-server 1.1.1.2
My account is migrated but im /shberge with new name
- Copy Link
- Report Inappropriate Content
I do have DNS configured on ASA but did a check over our production site hits our Internal DNS Windows Server to resolve and reverse lookup, on my Test ASA add 1.1.1.2 plus 8.8.8.8 Outside
But this does not resolve traceroute on ASA under tools.
Oh interesting when I specify www.google.com on our production with Outside it does the same
But add 1.1.1.2 on production ASA and this now resolves.
Then on the test ASA some thing is wrong. Did think its port 53 but can not see how.
On the ER605 would I need static route configured.
Its mad for me as you can ping 8.8.8.8 from interface on the test ASA Outside
- Copy Link
- Report Inappropriate Content
I don't know, there is probably something wrong with the ASA configuration, have you tried the cisco forum :-)
I did a trace here but I don't have an ER605 in front..
I have this software version on this ASA
- Copy Link
- Report Inappropriate Content
what version are you on with your ER605 , when usiing subnet mask 255.255.255.248 if did not like entry for DNS complained about with red error mark, think it said broadcast address, however if you place 255.255.255.0 it allows DNS of 8.8.8.8
Live in the uk and asking should I update firmware its Verison 2.0 on ER605 but looked on there support site does not show download.
found version 2.6 but from other country, and states may not work.
I do not like giving up on what should be a simple routing, and Cisco always want to ask for support contracts, that think expired with the tide.
Thanks for your support, did try packet test on the ASA and that worked, placed my laptop back on Port 4 LAN and its failing once more on DNS but not on Port 5 LAN but want to keep that seperate for access to ER605 for restore or alike ..
what a pain but thanks for your support and help
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2771
Replies: 24
Voters 0
No one has voted for it yet.