Cisco ASA 5500 Dual ISP Connection

Starting from version 7.2(1) and upwards, the Cisco ASA 5500 series firewall supports now the Dual-ISP capability. You can connect two interfaces of the firewall to two different ISPs and use the new “SLA Monitor” feature (SLA=Service Level Monitoring) to monitor the link to the primary ISP, and if that fails, the traffic is routed to the Backup ISP. The diagram below shows how to implement the Dual-ISP feature.

asa 5500 dual isp connection

Assume that the Primary ISP (ISP-1) has assigned to us the public IP address 100.100.100.1 with gateway 100.100.100.2. Also, the Backup ISP (ISP-2) has assigned us the public IP 200.200.200.1 with gateway 200.200.200.2. Normally all traffic should flow through ISP-1, but if the physical link (or route) to that ISP fails, then traffic should be redirected to the Backup ISP. We can configure an SLA monitor service which will be checking every 10 seconds (using a ping echo request) the availability of the primary Gateway IP address (100.100.100.2). If there is no response in 3000 milliseconds (3 sec), then the default route will be redirected to the Backup ISP. The configuration is shown below:

asa5500(config)# sla monitor 100
asa5500(config-sla-monitor)# type echo protocol ipIcmpEcho 100.100.100.2 interface outside
asa5500(config-sla-monitor-echo)# timeout 3000
asa5500(config-sla-monitor-echo)# frequency 10
asa5500(config)# sla monitor schedule 100 life forever start-time now
asa5500(config)# track 1 rtr 100 reachability
asa5500(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1 track 1
asa5500(config)# route backup-isp 0.0.0.0 0.0.0.0 200.200.200.2 254

Of course the configuration above assumes that you have already configured two interfaces connected to the ISPs, the first one with name ‘outside’ (security level 0) and the second one with name ‘backup-isp’ (security level 1).

Get Free Cisco Tutorials – Sign Up Below

Fill out your e-mail address below to receive free
Cisco Configuration Examples and Tutorials
(Your email is safe with us)
My Email Address is:

Comments

  1. Harris Andrea says:

    David,

    This can be done with NAT. You will have to create a NAT rule for LAN1 which will use WAN1 IP and another NAT rule for LAN2 to use WAN2 IP. What ASA version are you using?

  2. ASA Version 8.4(4), ASDM 6.4(9) on an ASA 5510 w/ the Security Plus licence package. NAT you say? So as long as my routing tables get the traffic into the ASA from the correct LAN interface, these NAT rules will get them going out the correct WAN interfaces? What would these NAT rules look like?

  3. Harris Andrea says:

    David,

    OK the issue with NAT and route lookup it’s kind of messed up (even for Cisco). Depending on which ASA version you are using, the NAT rule can take precedence over the route-lookup and the NAT therefore will determine which will be the egress interface for a packet to go out. See this link here for an explanation of this behavior:

    http://packetpushers.net/understanding-when-a-cisco-asa-nat-rule-can-override-the-asa-routing-table/

    So it all depends on the version you are using. I have not tried your exact situation in a real scenario but from my experience it should work.

    Try for example the following NAT rules:

    ciscoasa(config)# object network LAN1
    ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
    ciscoasa(config-network-object)# nat (inside,WAN1) dynamic interface

    ciscoasa(config)# object network LAN2
    ciscoasa(config-network-object)# subnet 192.168.2.0 255.255.255.0
    ciscoasa(config-network-object)# nat (inside,WAN2) dynamic interface

    I assume that both LAN1 and LAN2 are somehow routed towards the “inside” interface. If you have two separate “legs” for LAN1 and LAN2 on ASA, then the command will be “nat (LAN1,WAN1) dynamic interface”

    Try that and let us know how it goes

Speak Your Mind

*