Cisco ASA 5510, can it be used for multiple connections?

[sandmanx]

We are about to get a 10Mbps sync line for our business. We already have a full T1 that we are using a Cisco Pix 506 on. I can't find any definant info on if I can tie both of these connections into a ASA 5510 and eliminate the 506. I'm sure someone here knows.

I plan on using the 10Mbps for our web/ftp/email/streaming video servers, and putting our internal users on the T1, as well as running VPN on both connections for the best performance(I use this only for admin purposes, but I want it to be quick when our website is getting nailed).

 

[Boscoh]

Hmmm. I dont think so, but I have never tried that or heard of anyone else trying it with the 7.0 code.

The only way I think you'd be able to do it is to hook both routers up to a switch, and link the switch to the ASA external interface. You'd have to do your NATing at the routers and not on the ASA. Create a private network starting with the LAN interfaces on the routers. So, E1 on each router would be connected to E0 on the ASA, and they'd all be 172.16.1.x for example. You'd then have your clients on the internal interface and your servers on the DMZ; setup two static routes to route the internal clients to the T1 router and the DMZ servers to the 10mb router. You'd have to do NAT 0 on the DMZ and the internal interfaces, otherwise you'll be doing double NAT and breaking stuff...thats where it would get tricky I suppose.

I dont even know if that will work or not, but it sounds (to me) like the best option. It'd be an interesting experiement if I had an ASA handy.

The simplest option, of course, is to ditch the T1. Put your clients on the internal interface, servers on the DMZ, and rate limit the internal interface to 1.5mbps using QoS (effectively giving them only T1 speeds). That'll cut the speed your servers will get to (at a minimum) 8.5mbps. You can keep the T1 handy as a backup connection or a test connection until your contract expires.

 

[sandmanx]

That sounds like a good solution, to limit the interface. I might still give the T1 an IP after the Pix 506 and assign that as the gateway for some users, since we will have the T1 for another year and a half I believe.

Thanks for the suggestion.