ASA 5510 Dual ISP Outbound Failover

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built in functionality to NAT multiple public IPs to a single internal IP – for that you’d need a router (how-to article soon!).  For an ASA to provide inbound redundancy to your servers you’d need to utilize two separate IPs for each server – one to be NAT’d to each public IP block.
The information you’ll need to complete this task:

Primary ISP Subnet / Gateway
Secondary ISP Subnet / Gateway
A Public host to ping (i.e.

The Public host to ping is a device (read: cluster of devices) that we will use to check if our primary ISP is up or down.  For that reason, I advise against using an IP of a single server.  I usually go with one of the well-known public DNS servers –,, or
For this article, we’ll use the following information:

Private LAN

I’ll assume that you’ve already been successful in getting your ASA up and running, and that your config looks something like this (NOTE: I’m using the 8.2 firmware):
                      hostname firewall
                      interface Ethernet0/0
                       description Primary ISP
                       nameif outside
                       security-level 0
                       ip address
                      interface Ethernet0/1
                       description Backup ISP
                       nameif backup
                       security-level 0
                       ip address
                      interface Ethernet0/2
                       description Private LAN
                       nameif inside
                       security-level 100
                       ip address 
                      interface Ethernet0/3
                       no nameif
                       no security-level
                       no ip address
                      interface Management0/0
                       nameif management
                       security-level 100
                       ip address 
                      global (backup) 1 interface
                      global (outside) 1 interface
                      nat (inside) 1
                      route outside 1
                      route backup 10

Open in new window

As it stands, you will fail over to your secondary ISP only if interface Eth0/0 physically goes down – that is, the cable to your upstream router, public switch, or whatever device you firewall is connected to is unplugged or cut.  Realistically, the number of times that an outage is due to something besides a loss of physical link is far greater than an outage caused by a physical outage.  For that reason, Cisco lets us do route tracking, which is where our “public IP to ping” comes into play.  Basically, we tell the ASA that we want to ping IP address over a specific route, and if that host stops responding, then assume the route is down, and install a backup route into the route table.
To get started, get into configuration mode
firewall> enable
                      firewall# config t

Open in new window

First we’ll setup the constant ping to a specific IP:
firewall(config)# sla monitor 1
                      firewall(config-sla-monitor)# type echo protocol ipIcmpEcho interface outside
                      firewall(config-sla-monitor)# num-packets 3
                      firewall(config-sla-monitor)# frequency 10
                      firewall(config-sla-monitor)# exit
                      firewall(config)# sla monitor schedule 1 life forever start-time now

Open in new window

Here we’ve said that we want to send 3 ICMP echos to and repeat every 10 seconds.
Next we’ll tie a tracked route with the SLA monitor:
firewall(config)# track 100 rtr 1 reachability

Open in new window

And last we’ll specify the route that we want to track:
firewall(config)# no route outside 1
                      firewall(config)# route outside 1 track 100

Open in new window

And that should do it.  Keep in mind that for the best test case after completing this setup you should turn off / unplug something that leave the physical interface up.  So if you’re firewall connects to a public switch, and then the switch connects to your ISP’s device, unplug the cable between the switch and the ISP.

Comments (1)

Pete LongSolutions Architect
Distinguished Expert 2020

Hi anoyes

Another thing to bear in mind is, the failover is great for outbound traffic, but a 'happy' side effect' of doing this is, if the client has a web server/email server BOTH interfaces can be used to access these internal resources ALL THE TIME (from the outside of those interfaces) regardless of which interface is currents at the lowest routing metric :) providing the port forwarding/static NATs are correct.

Also, any site to site VPNS from remote sited need their VPN configs updating with the new IP to enable the VPN's to fail over.

Cisco ASA/PIX 8.x: Redundant or Backup ISP Links with VPNs


Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.