Cisco ASA 5500 Dual ISP Connection

Starting from version 7.2(1) and upwards, the Cisco ASA 5500 series firewall supports now the Dual-ISP capability. You can connect two interfaces of the firewall to two different ISPs and use the new “SLA Monitor” feature (SLA=Service Level Monitoring) to monitor the link to the primary ISP, and if that fails, the traffic is routed to the Backup ISP. The diagram below shows how to implement the Dual-ISP feature.

asa 5500 dual isp connection

Assume that the Primary ISP (ISP-1) has assigned to us the public IP address 100.100.100.1 with gateway 100.100.100.2. Also, the Backup ISP (ISP-2) has assigned us the public IP 200.200.200.1 with gateway 200.200.200.2. Normally all traffic should flow through ISP-1, but if the physical link (or route) to that ISP fails, then traffic should be redirected to the Backup ISP. We can configure an SLA monitor service which will be checking every 10 seconds (using a ping echo request) the availability of the primary Gateway IP address (100.100.100.2). If there is no response in 3000 milliseconds (3 sec), then the default route will be redirected to the Backup ISP. The configuration is shown below:

asa5500(config)# sla monitor 100
asa5500(config-sla-monitor)# type echo protocol ipIcmpEcho 100.100.100.2 interface outside
asa5500(config-sla-monitor-echo)# timeout 3000
asa5500(config-sla-monitor-echo)# frequency 10
asa5500(config)# sla monitor schedule 100 life forever start-time now
asa5500(config)# track 1 rtr 100 reachability
asa5500(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1 track 1
asa5500(config)# route backup-isp 0.0.0.0 0.0.0.0 200.200.200.2 254

Of course the configuration above assumes that you have already configured two interfaces connected to the ISPs, the first one with name ‘outside’ (security level 0) and the second one with name ‘backup-isp’ (security level 1).

Get Free Cisco Tutorials – Sign Up Below

Fill out your e-mail address below to receive free
Cisco Configuration Examples and Tutorials
(Your email is safe with us)
My Email Address is:

Comments

  1. Frans ter Borg says:

    Is there a way to combine the SLA Monitor features described above, with 2 “ISP” interfaces that get their (dynamic) IP address either via DHCP, or via PPPoE ?

    Cheers,

    Frans

  2. Hello Frans,
    I have never tried that to be honest. What I know however is that you can define an IP address to track other than the ISP default gateway. For example you can track a server located in ISP network, such as the DNS server for example. If that server is 150.150.150.1, then you should modify your SLA command accordingly:
    asa5500(config-sla-monitor)# type echo protocol ipIcmpEcho 150.150.150.1 interface outside
    Now, the problem I see is on the default route command. If you are getting dynamic IP from the ISP, then you must not configure a default route because the default route is automatically assigned from the ISP.
    However you can try to configure:
    route outside 0.0.0.0 0.0.0.0 interface x/x 1 track 1
    Try it and let us know how it works.

  3. Hello Frans,

    in this senario will the traffic be re-routed back via the primary ISP if the connection/route is restored?

  4. BlogAdmin says:

    Yes, traffic will be rerouted from the primary ISP once the primary link is restored.

  5. Hello BlogAdmin,
    What is if my 1st ISP assign static IP address, and 2nd ISP assign dynamic IP address. How do I configure a default route for 2nd ISP? I greatly appreciate your help

    Vince

  6. Blog Admin says:

    Vince,

    To be honest, I have not seen such a scenario before. If you can afford to have a second ISP for redundancy, then get one with a static IP :)

    Another option is to put a small router between the 2nd ISP and the ASA backup interface. The router will get its IP address dynamically, but the ASA backup interface will have a fixed IP as gateway (it will be the internal IP of the router).

  7. Hello Blog Admin,

    First I would like to say thank you for your response, and secondly thanks for the Fundamentals and
    Configuration Tutorial Bonus wrote by Harris Andrea. I bought this EBooks last night and it helps me to understand the concept and hand on a lot. I am newbie of Cisco giant network gear :-)
    Blog Admin my 2nd ISP is from Comcast and it not offered me static IP address :-(. Qwest is my DSL line provided me a block of 5 useable addresses. Beside of Comcast and Qwest I have no other ISP service in my home area. However here what I can try by reading from Andrea books and your post to see if it works.

    ASA(config)# global (outside) 1 interface
    ASA(config)# global (backup) 1 interface
    ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0
    ASA(config)# sla monitor 100
    ASA(config-sla-monitor)# type echo protocol ipIcmpEcho 100.1.1.1 interface outside
    ASA(config-sla-monitor)# timeout 3000
    ASA(config-sla-monitor)# frequency
    ASA(config-sla-monitor)# exit
    ASA(config)# sla monitor schedule 100 life forever start-time now
    ASA(config)# track 10 rtr 100 reachability
    ASA(config)# route outside 0.0.0.0 0.0.0.0 100.1.1.1 1 track 10
    ASA(config)# route backup 0.0.0.0 0.0.0.0 interface 0/1 254

    Vince

  8. Blog Admin says:

    Hello Vince,

    The configuration you are suggesting should work ok. Since you will not know the gateway for the backup route, you can use the outside interface in the default route. Note that the address 100.1.1.1 should be a fixed IP host on the primary ISP (e.g the default gateway for the primary ISP).

    Good luck.

    Let me know if I can help for anything.

  9. Hello Harris,

    It worked, and I am very excited about cisco gear :-) Thank you for your time and support. I look forward to your next release eBook step by step tutorial.

    God bless you.

  10. Hello Harris,
    With the setup above everything is worked, but the problem is ASA were not roll back to the primary ISP when the connection is restored. Is there away or CLI for me to force ASA to route back to primary ISP default route? For now I have to unplug the backup ISP connection and wait for route table to update and then plug the cable back :-) I greatly appreciate your help.

    Best regards,
    Vince

  11. Blog Admin says:

    Vince,

    The tracking mechanism should take care of the fallback to primary link. What asa version are you using?

  12. Hello Harris,

    It is my fault :-( when I configure the tracking mechanism I can ping the outside interface from the outside, so I added “icmp deny any echo outside” :-# after removed “no icmp deny any echo outside” everything work as expected

    BTW: asa version I am using is 8.2(2) I read your post not to rush to update to 8.3 that’s why I stay on 8.2

    With the issue above I talk to myself what happened if primary isp is go down remote vpn will not working, I decide to add backup-isp to the dynamic crypto map to a static crypto map

    Crypto map outside_map interface primary-isp
    Crypto map outside_map interface backup-isp

    Create a phase 1 isakmp policy for the remote vpn clients

    Crypto isakmp enable primary-isp
    Crypto isakmp enable backup-isp

    On client side I click Backup Servers Tab and add the ip address of backup-isp. Fire up VPN connection and it work, and then I shut down primary-isp interface, try connecting again this time vpn client is connected to backup-isp ip address :-)

    Thank you so much for your support (y)

    Vince

  13. Blog Admin says:

    Hi Vince,

    I’m glad you managed to make it work. Also, good job on the VPN redundancy too.

    cheers

    Harris

  14. Dear Blog Admin
    Thank you very much for this info, my question is:
    Is there a way that I can configure my ASA 5500 series to use 2 ISP simultaneously (at the same time not just as a backup) ??
    I mean I have to had 2 internet connection work together at the same time while they directly connected to the ASA ?
    What is the configuration that I had to apply to the firewall (if it’s possible of course) !!
    I had search allot for that but till now I didn’t find an answer for this question !
    Could you help me please ?
    Thanks again.

  15. Blog Admin says:

    Ammar,

    From what I know, you can not use two ISP simultaneously with ASA. You can utilize a load balancer for that. A good example is F5 networks.

  16. Most of the examples I have seen on the sla monitor commands are showing a point-to-point link for certain addresses that are also reachable over the outside (internet-facing) interface. This is the first sample I have seen with two internet-facing interfaces, which brings up a problem the other situation does not present: Do you now have to apply, and possibly duplicate, your internet-facing ACL? I say duplicate because otherwise the hitcnt counters are shared and you cannot observe the amount of traffic handled by the backup link over time.

    Is there is a way to treat the two interfaces as a single logical interface, or to get some indication of the backup link’s usage, ala ‘sh failover’?

  17. Blog Admin says:

    Hi Rob,

    Thanks for stopping by.

    You can configure two different ACLs, one for each interface, and apply each one on its corresponding interface. For example, you can configure an ACL named “outside_in” and apply it on the primary “outside” interface, and then configure another ACL (with exactly the same configuration lines) and name it “backup_in” and apply that on the “backup” link. That way you will have different counters if you need to see the usage.

  18. OK, but no way to synchronize the ACLs? As you can imagine, it is simply a matter of time before one of the ACLs is missing a line…

  19. Blog Admin says:

    No, unfortunately there is no way to synchronize the ACLs.

  20. Thanks for the great info. Worked perfectly!

  21. I have been searching but found no information on this setup. Any assistance would be greatly appreciated.

    If i have two isp’s and want to utilized both with the 5500 but not for load – balancing or backup.

    WAN1 to outside ip block
    WAN2 to outside ip2 block
    LAN1 internal 10.1.10.X
    LAN2 internal 10.1.11.X

    All the internal ip are statically set and i would like to have some machine utilize WAN1 and some machines utilized WAN2

    Thanks for any help or if this is possible.

  22. Blog Admin says:

    Carl,

    You can do this with dynamic NAT (for outbound traffic). you can use the nat-ids to bind the private internal IP to the outside ip blocks.

    Lets say IP 10.1.10.1 should use outside ip block 100.100.100.1 and also internal IP 10.1.11.1 should use 200.200.200.1.

    nat (inside1) 10 10.1.10.1 255.255.255.255
    global (outside1) 10 100.100.100.1

    nat(inside2) 20 10.1.11.1 255.255.255.255
    global (outside2) 20 200.200.200.1

  23. Thanks for the reply. Do you know if this is possible in single context mode. or multi context mode.

  24. Blog Admin says:

    should work for both

  25. Hey there,

    I have a network setup like this right now:

    http://i1085.photobucket.com/albums/j432/dion20/Drawing2.jpg

    I want to add another ISP, but not use it as a failover, instead use it as another gateway to allow certain users to use the second ISP, heres the depiction of what I would like to do:

    http://i1085.photobucket.com/albums/j432/dion20/Drawing1.jpg

    So basically I want to set the gateway as 10.11.0.4, and have that use the .2 external internet on specific stations

  26. Blog Admin says:

    Matt,

    You can not do what you suggest here. It is not allowed (from any firewall or router device) to configure two different network interfaces in the same layer3 network range. So the ASA will not allow you to have port1 and port7 in the same internal network subnet (10.11.0.x).

  27. Awesome, thanks, thats what I thought, my supervisor wanted me to do that, my idea is to use the .2 interface as our main internet, setup the .1 as a backup, and use a failover in case of outage from .2, after talking with a buddy last night he convinced me that that was the better option aswell

    again, thank you for your input, and reading through this blog really helped in understanding the inner workings of the ASA

  28. Hello guys,

    The configuration doesen’t work in version 8.4(1).
    After some debugging, I saw the packets continue to go out the backup interface.
    After more searching, I found bug CSCsy19222, which perfectly describes my problem.
    HTH ;-)

  29. Blog Admin says:

    @Old Timer

    Thanks for stopping by and for the heads-up. Appreciate your feedback

  30. It doesn’t work in multiple context mode…….

  31. Blog Admin says:

    Marcel,

    Yes I know. In my example above, I refer to single context mode.

    By the way, there are many other features that don’t work in multiple context mode as well.

  32. The problem if you have server announcement in the internet ,the problem will be ,the DNS will look up for which ip address (you have two different static nat for the same server for two isp )

  33. Blog Admin says:

    waleed,

    You are right. The configuration above is mainly for redundancy when you have only outbound traffic.

  34. Will_son says:

    My goal is similar to that of Carl.

    “If i have two isp’s and want to utilized both with the 5500 but not for load – balancing or backup.

    WAN1 to outside ip block
    WAN2 to outside ip2 block
    LAN1 internal 10.1.10.X
    LAN2 internal 10.1.11.X

    All the internal ip are statically set and i would like to have some machine utilize WAN1 and some machines utilized WAN2″

    The difference is I want only internet traffic to go our over the second interface.

  35. Blog Admin says:

    If the external WAN IP blocks are known, then you can do what you describe using policy nat. However, if the WAN addresses are unknown (like normal Internet access for example) then you can not do this because

  36. Jonathan says:

    I currently Use Pfsense to do multiple WAN (4 WANS at 1 client and 2 wans at another) pfsense allows you to specify outbound NAT and the gateway device that NAT uses effectively giving my one client a dedicated VOIP vpn ISP and client/guest ISP, backup ISP and a standard use ISP. PFsense is free btw…. when a new client purchased an ASA 5510 and I started looking to setup 2 ISP’s one for guest on a cable modem and one for standard use on a 10M fiber line I was shocked to see how limited the brand new cisco ASA was and after what they paid for it it is sad to say I am going to recommend they buy a dual powersupply(something the asa does not have either) 1U server and let the asa sit idle as a cold standby. After years of being in love with cisco gear I must say this experience has left a bad taste in my mouth….I am just glad I did not recommend the ASA to them or I would feel really bad.

  37. Blog Admin says:

    Hi Jonathan,

    PFsense looks really good indeed. Once you start using a Layer7 firewall the flexibility and the things you can do are expanded exponentially. The thing is that most companies prefer to have a firewall solution that is backed-up by support/maintenance etc, that’s why a commercial product is preferable. Also, a dedicated hardware firewall like the ASA would be much more powerful in terms of performance (concurrent connections, throughput etc) compared to a computer based firewall in my opinion.

  38. Out of curiosity, if I may. I have a head office with 2 DSL connections (with two differnet ISP’s). 1 connections provides net access, external IP for the mail server, RDP servers etc (I have a block of IP’s for it) The other connection is dedicated to an IPSEC VPN to a remote site office to provide connectivity and VOIP phones back to the phone system at head office. Its all currently running off the back of an old Snapgear SG580 – which can load balance, fail over etc.

    If I grabbed an ASA 5510 can I replicate this setup? While no ‘load balancing’ one connection would prove a permannet VPN link to the site office and the other connection would link the head office to ‘the world’ so to speak.

  39. Blog Admin says:

    Hi Teddy,

    Yes you can use a Cisco ASA 5510 to implement what you describe in your comment. You will need to have a default route pointing to the first ISP (which provides the general internet access) and then have a specific static route pointing to the second ISP which provides the IPSEC VPN. This static route will be needed in order to reach the public IP of the remote site office and also to reach the LAN subnet of the remote office.

    Please let me know if you need anything else.

    Harris

  40. Dennis E. Pillow says:

    What are the requirements for an ASA 5505 to be used for backup of dual ISP? Can the 5505 be used for load balancing?

  41. Blog Admin says:

    Dennis,

    For 5505, you need a security plus license in order to remove the restriction with the interfaces imposed by the basic license. Also, 5505 can’t be used for load balancing

  42. I need to configure ipsec vpn tunnels for 2 client offices using our 2x ASA 5525. One client has Palo Alto clusters on their one site and other client has an Active /passive (primary/backup) configuration using Palo Alto at different sites.

    Our ASA 5525 will be located at different Offices.

    Do you have any examples for configuring ASA 5525 in the senario with Nat as we have overlapping IP address at the client sites?

  43. Blog Admin says:

    Jay,

    I don’t have a specific example but I have found a few ideas on cisco support forum. Try searching for “cisco asa vpn overlapping subnets”

  44. Thanks for the wonderful KB. I followed and it is working, how ever every now and then I loose connection to internet and when i check Logs, i see tons of Deny UDP Reverse Path Check Ip to IP on interface Outside is in the log., and most of the time i get Deny TCP reverse Path Check from (ip) to (IP) on interface outside is throuwn… how can I fix this? it usually happens when i start big file transfers etc.

  45. Blog Admin says:

    Ali,

    You can disable the reverse path check (no ip verify reverse-path interface outside) to see what happens. When you have “reverse path check”, the ASA drops a packet received on an interface and is not in the routing table.

  46. Thanks, I did that Turned off IP Anti-Spoofing on the Interfaces and it worked. But is it Safe? if someone try to spoof, I would assume the firewall will not block? Or since I have IPS module installed in ASA, will that protect? Thanks in advance!

  47. Blog Admin says:

    Since you have private IP and doing NAT, spoofing is not that big of a problem.

  48. I have a cisco ASA 5505 that is running with two ISP’s one is for the majority of the traffic and the other is being used for all HTTP and HTTPS requests we had and issue where the ISP connection handling web traffic failed. Is there a way to force this to use the other ISP if this happens in the future.

  49. Colin,

    The only ISP failover config that I’m aware of is the one I describe in the post above (i.e using SLA monitor to failover from the active ISP to a backup ISP).

Speak Your Mind

*