Subscribe RSS 2.0 feed. Leave a response, or Trackback from your own site.

33 Responses to 'Cisco ASA 5500 Dual ISP Connection'

1. Frans ter Borg - December 17th, 2009 at 5:37 pm

   Is there a way to combine the SLA Monitor features described above, with 2 “ISP” interfaces that get their (dynamic) IP address either via DHCP, or via PPPoE ?

   Cheers,

   Frans

2. BlogAdmin - December 18th, 2009 at 1:41 am

   Hello Frans,
   I have never tried that to be honest. What I know however is that you can define an IP address to track other than the ISP default gateway. For example you can track a server located in ISP network, such as the DNS server for example. If that server is 150.150.150.1, then you should modify your SLA command accordingly:
   asa5500(config-sla-monitor)# type echo protocol ipIcmpEcho 150.150.150.1 interface outside
   Now, the problem I see is on the default route command. If you are getting dynamic IP from the ISP, then you must not configure a default route because the default route is automatically assigned from the ISP.
   However you can try to configure:
   route outside 0.0.0.0 0.0.0.0 interface x/x 1 track 1
   Try it and let us know how it works.

3. Graham - March 23rd, 2010 at 10:18 am

   Hello Frans,

   in this senario will the traffic be re-routed back via the primary ISP if the connection/route is restored?

4. BlogAdmin - March 23rd, 2010 at 12:38 pm

   Yes, traffic will be rerouted from the primary ISP once the primary link is restored.

5. Vince - June 18th, 2010 at 3:21 pm

   Hello BlogAdmin,
   What is if my 1st ISP assign static IP address, and 2nd ISP assign dynamic IP address. How do I configure a default route for 2nd ISP? I greatly appreciate your help

   Vince

6. Blog Admin - June 19th, 2010 at 7:40 am

   Vince,

   To be honest, I have not seen such a scenario before. If you can afford to have a second ISP for redundancy, then get one with a static IP

   Another option is to put a small router between the 2nd ISP and the ASA backup interface. The router will get its IP address dynamically, but the ASA backup interface will have a fixed IP as gateway (it will be the internal IP of the router).

7. Vince - June 20th, 2010 at 4:29 am

   Hello Blog Admin,

   First I would like to say thank you for your response, and secondly thanks for the Fundamentals and
   Configuration Tutorial Bonus wrote by Harris Andrea. I bought this EBooks last night and it helps me to understand the concept and hand on a lot. I am newbie of Cisco giant network gear
   Blog Admin my 2nd ISP is from Comcast and it not offered me static IP address . Qwest is my DSL line provided me a block of 5 useable addresses. Beside of Comcast and Qwest I have no other ISP service in my home area. However here what I can try by reading from Andrea books and your post to see if it works.

   ASA(config)# global (outside) 1 interface
   ASA(config)# global (backup) 1 interface
   ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0
   ASA(config)# sla monitor 100
   ASA(config-sla-monitor)# type echo protocol ipIcmpEcho 100.1.1.1 interface outside
   ASA(config-sla-monitor)# timeout 3000
   ASA(config-sla-monitor)# frequency
   ASA(config-sla-monitor)# exit
   ASA(config)# sla monitor schedule 100 life forever start-time now
   ASA(config)# track 10 rtr 100 reachability
   ASA(config)# route outside 0.0.0.0 0.0.0.0 100.1.1.1 1 track 10
   ASA(config)# route backup 0.0.0.0 0.0.0.0 interface 0/1 254

   Vince

8. Blog Admin - June 20th, 2010 at 8:57 am

   Hello Vince,

   The configuration you are suggesting should work ok. Since you will not know the gateway for the backup route, you can use the outside interface in the default route. Note that the address 100.1.1.1 should be a fixed IP host on the primary ISP (e.g the default gateway for the primary ISP).

   Good luck.

   Let me know if I can help for anything.

9. Vince - June 26th, 2010 at 4:49 am

   Hello Harris,

   It worked, and I am very excited about cisco gear Thank you for your time and support. I look forward to your next release eBook step by step tutorial.

   God bless you.

10. Vince - July 6th, 2010 at 4:43 pm

    Hello Harris,
    With the setup above everything is worked, but the problem is ASA were not roll back to the primary ISP when the connection is restored. Is there away or CLI for me to force ASA to route back to primary ISP default route? For now I have to unplug the backup ISP connection and wait for route table to update and then plug the cable back I greatly appreciate your help.

    Best regards,
    Vince

11. Blog Admin - July 8th, 2010 at 4:46 am

    Vince,

    The tracking mechanism should take care of the fallback to primary link. What asa version are you using?

12. Vince - July 10th, 2010 at 4:27 am

    Hello Harris,

    It is my fault when I configure the tracking mechanism I can ping the outside interface from the outside, so I added “icmp deny any echo outside” :-# after removed “no icmp deny any echo outside” everything work as expected

    BTW: asa version I am using is 8.2(2) I read your post not to rush to update to 8.3 that’s why I stay on 8.2

    With the issue above I talk to myself what happened if primary isp is go down remote vpn will not working, I decide to add backup-isp to the dynamic crypto map to a static crypto map

    Crypto map outside_map interface primary-isp
    Crypto map outside_map interface backup-isp

    Create a phase 1 isakmp policy for the remote vpn clients

    Crypto isakmp enable primary-isp
    Crypto isakmp enable backup-isp

    On client side I click Backup Servers Tab and add the ip address of backup-isp. Fire up VPN connection and it work, and then I shut down primary-isp interface, try connecting again this time vpn client is connected to backup-isp ip address

    Thank you so much for your support (y)

    Vince

13. Blog Admin - July 10th, 2010 at 12:59 pm

    Hi Vince,

    I’m glad you managed to make it work. Also, good job on the VPN redundancy too.

    cheers

    Harris

14. Ammar - July 31st, 2010 at 9:24 am

    Dear Blog Admin
    Thank you very much for this info, my question is:
    Is there a way that I can configure my ASA 5500 series to use 2 ISP simultaneously (at the same time not just as a backup) ??
    I mean I have to had 2 internet connection work together at the same time while they directly connected to the ASA ?
    What is the configuration that I had to apply to the firewall (if it’s possible of course) !!
    I had search allot for that but till now I didn’t find an answer for this question !
    Could you help me please ?
    Thanks again.

15. Blog Admin - July 31st, 2010 at 11:11 am

    Ammar,

    From what I know, you can not use two ISP simultaneously with ASA. You can utilize a load balancer for that. A good example is F5 networks.

16. Rob - September 3rd, 2010 at 11:23 am

    Most of the examples I have seen on the sla monitor commands are showing a point-to-point link for certain addresses that are also reachable over the outside (internet-facing) interface. This is the first sample I have seen with two internet-facing interfaces, which brings up a problem the other situation does not present: Do you now have to apply, and possibly duplicate, your internet-facing ACL? I say duplicate because otherwise the hitcnt counters are shared and you cannot observe the amount of traffic handled by the backup link over time.

    Is there is a way to treat the two interfaces as a single logical interface, or to get some indication of the backup link’s usage, ala ‘sh failover’?

17. Blog Admin - September 3rd, 2010 at 1:17 pm

    Hi Rob,

    Thanks for stopping by.

    You can configure two different ACLs, one for each interface, and apply each one on its corresponding interface. For example, you can configure an ACL named “outside_in” and apply it on the primary “outside” interface, and then configure another ACL (with exactly the same configuration lines) and name it “backup_in” and apply that on the “backup” link. That way you will have different counters if you need to see the usage.

18. Rob - September 3rd, 2010 at 1:43 pm

    OK, but no way to synchronize the ACLs? As you can imagine, it is simply a matter of time before one of the ACLs is missing a line…

19. Blog Admin - September 3rd, 2010 at 7:28 pm

    No, unfortunately there is no way to synchronize the ACLs.

20. JayW - December 27th, 2010 at 8:18 pm

    Thanks for the great info. Worked perfectly!

21. Carl - March 24th, 2011 at 4:28 pm

    I have been searching but found no information on this setup. Any assistance would be greatly appreciated.

    If i have two isp’s and want to utilized both with the 5500 but not for load – balancing or backup.

    WAN1 to outside ip block
    WAN2 to outside ip2 block
    LAN1 internal 10.1.10.X
    LAN2 internal 10.1.11.X

    All the internal ip are statically set and i would like to have some machine utilize WAN1 and some machines utilized WAN2

    Thanks for any help or if this is possible.

22. Blog Admin - March 24th, 2011 at 4:39 pm

    Carl,

    You can do this with dynamic NAT (for outbound traffic). you can use the nat-ids to bind the private internal IP to the outside ip blocks.

    Lets say IP 10.1.10.1 should use outside ip block 100.100.100.1 and also internal IP 10.1.11.1 should use 200.200.200.1.

    nat (inside1) 10 10.1.10.1 255.255.255.255
    global (outside1) 10 100.100.100.1

    nat(inside2) 20 10.1.11.1 255.255.255.255
    global (outside2) 20 200.200.200.1

23. Carl - March 24th, 2011 at 9:55 pm

    Thanks for the reply. Do you know if this is possible in single context mode. or multi context mode.

24. Blog Admin - March 25th, 2011 at 11:39 am

    should work for both

25. Matt - June 2nd, 2011 at 7:07 pm

    Hey there,

    I have a network setup like this right now:

    http://i1085.photobucket.com/albums/j432/dion20/Drawing2.jpg

    I want to add another ISP, but not use it as a failover, instead use it as another gateway to allow certain users to use the second ISP, heres the depiction of what I would like to do:

    http://i1085.photobucket.com/albums/j432/dion20/Drawing1.jpg

    So basically I want to set the gateway as 10.11.0.4, and have that use the .2 external internet on specific stations

26. Blog Admin - June 3rd, 2011 at 10:01 am

    Matt,

    You can not do what you suggest here. It is not allowed (from any firewall or router device) to configure two different network interfaces in the same layer3 network range. So the ASA will not allow you to have port1 and port7 in the same internal network subnet (10.11.0.x).

27. Matt - June 3rd, 2011 at 6:23 pm

    Awesome, thanks, thats what I thought, my supervisor wanted me to do that, my idea is to use the .2 interface as our main internet, setup the .1 as a backup, and use a failover in case of outage from .2, after talking with a buddy last night he convinced me that that was the better option aswell

    again, thank you for your input, and reading through this blog really helped in understanding the inner workings of the ASA

28. Oldtimer - August 26th, 2011 at 9:45 am

    Hello guys,

    The configuration doesen’t work in version 8.4(1).
    After some debugging, I saw the packets continue to go out the backup interface.
    After more searching, I found bug CSCsy19222, which perfectly describes my problem.
    HTH

29. Blog Admin - August 26th, 2011 at 10:12 am

    @Old Timer

    Thanks for stopping by and for the heads-up. Appreciate your feedback

30. Marcel - September 8th, 2011 at 6:26 pm

    It doesn’t work in multiple context mode…….

31. Blog Admin - September 9th, 2011 at 4:49 am

    Marcel,

    Yes I know. In my example above, I refer to single context mode.

    By the way, there are many other features that don’t work in multiple context mode as well.

32. waleed - January 16th, 2012 at 8:40 pm

    The problem if you have server announcement in the internet ,the problem will be ,the DNS will look up for which ip address (you have two different static nat for the same server for two isp )

33. Blog Admin - January 17th, 2012 at 6:42 pm

    waleed,

    You are right. The configuration above is mainly for redundancy when you have only outbound traffic.

Leave a Reply

Name

Email (will not be published)

Website