Cisco ASA 5500 Dual ISP Connection

Starting from version 7.2(1) and upwards, the Cisco ASA 5500 series firewall supports now the Dual-ISP capability. You can connect two interfaces of the firewall to two different ISPs and use the new “SLA Monitor” feature (SLA=Service Level Monitoring) to monitor the link to the primary ISP, and if that fails, the traffic is routed to the Backup ISP. The diagram below shows how to implement the Dual-ISP feature.

asa 5500 dual isp connection

Assume that the Primary ISP (ISP-1) has assigned to us the public IP address with gateway Also, the Backup ISP (ISP-2) has assigned us the public IP with gateway Normally all traffic should flow through ISP-1, but if the physical link (or route) to that ISP fails, then traffic should be redirected to the Backup ISP. We can configure an SLA monitor service which will be checking every 10 seconds (using a ping echo request) the availability of the primary Gateway IP address ( If there is no response in 3000 milliseconds (3 sec), then the default route will be redirected to the Backup ISP. The configuration is shown below:

asa5500(config)# sla monitor 100
asa5500(config-sla-monitor)# type echo protocol ipIcmpEcho interface outside
asa5500(config-sla-monitor-echo)# timeout 3000
asa5500(config-sla-monitor-echo)# frequency 10
asa5500(config)# sla monitor schedule 100 life forever start-time now
asa5500(config)# track 1 rtr 100 reachability
asa5500(config)# route outside 1 track 1
asa5500(config)# route backup-isp 254

Of course the configuration above assumes that you have already configured two interfaces connected to the ISPs, the first one with name ‘outside’ (security level 0) and the second one with name ‘backup-isp’ (security level 1).


  1. Harris Andrea says


    This can be done with NAT. You will have to create a NAT rule for LAN1 which will use WAN1 IP and another NAT rule for LAN2 to use WAN2 IP. What ASA version are you using?

  2. David says

    ASA Version 8.4(4), ASDM 6.4(9) on an ASA 5510 w/ the Security Plus licence package. NAT you say? So as long as my routing tables get the traffic into the ASA from the correct LAN interface, these NAT rules will get them going out the correct WAN interfaces? What would these NAT rules look like?

  3. Harris Andrea says


    OK the issue with NAT and route lookup it’s kind of messed up (even for Cisco). Depending on which ASA version you are using, the NAT rule can take precedence over the route-lookup and the NAT therefore will determine which will be the egress interface for a packet to go out. See this link here for an explanation of this behavior:

    So it all depends on the version you are using. I have not tried your exact situation in a real scenario but from my experience it should work.

    Try for example the following NAT rules:

    ciscoasa(config)# object network LAN1
    ciscoasa(config-network-object)# subnet
    ciscoasa(config-network-object)# nat (inside,WAN1) dynamic interface

    ciscoasa(config)# object network LAN2
    ciscoasa(config-network-object)# subnet
    ciscoasa(config-network-object)# nat (inside,WAN2) dynamic interface

    I assume that both LAN1 and LAN2 are somehow routed towards the “inside” interface. If you have two separate “legs” for LAN1 and LAN2 on ASA, then the command will be “nat (LAN1,WAN1) dynamic interface”

    Try that and let us know how it goes

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>