We have an ISP (ISP1), with a router maintained by the ISP. We are bringing up a 2nd ISP (ISP2), with routers we will deploy and maintain. We'd like to gradually migrate services from ISP1 to ISP2, eventually phasing out the original ISP. We'd like the migration setup to support default routing of traffic we haven't selected to go to ISP1, to default out ISP2 during the phase out.
We currently support IPsec tunnels, AnyConnect vpn and various applications on the existing ISP1, with a public /24 provided by the ISP. Please see the attached topology image for the current setup, and concept of the state we expect during the migration. The ISP2 is providing a new /24 that all tunnels and applications will need to move to.
Unfortunately, the ASA 5510 does not support PBR (policy based routing), so I'm looking for a solution to support this setup, while maintaining connectivity to all applications on ISP1 during the migration. Specifically, I am concerned about how to manage routing outbound from our ASAs to the appropriate interface and next hop, given the topology. I believe the IPsec tunnels would be fairly straightforward, requiring just a static route to each tunnel peer out the ISP1 upstream router. As the tunnels are migrated, I'd remove the static route to allow it out ISP2.
I believe I can use Egress Interface Routing (cisco doc) to ensure application traffic is addressed and routed appropriately, but am not confident I understand the implications/requirements of this and would like feedback on whether this would work, or possible alternative solutions to handle the routing setup on the ASAs.
Thanks for any & all feedback!
If you have services running on your public IP addresses, AND you want to provide services on both ISP lines simultaneously from the same machine (or through the same firewall), you cannot do so without source IP address-based policy routing. That's because the same client coming from the Internet can connect to those services presented on different IP addresses, but the reply packets have to go back to whatever ISP provides the IP address targeted by the client. This needs source IP address-based routing.
The most frequently used options are: a router, or a gateway machine (Linux has excellent policy-based routing capabilities). I have no specific information about the capabilites of a Cisco ASA. General IOS routing does provide policy-based routing, however, the CPU load increase might be prohibitive, depending on the hardware and the bandwidth figures involved.
If policy-based routing presents a problem for you, you might be able to avoid the problem by providing two different sets of machines/firewalls for each type of IP addresses (one set for one ISP, one set for the other ISP), and then use an application-level proxy or source NAT on them to connect to a single backend service, if that's desired.