ASA 5505 Dual ISP setup

Posted on 2008-11-19
Last Modified: 2012-05-05

I need help setting up my ASA5505 Sec+ license to work with 2 ISPs. Right now it works just fine with one WAN interface, and I set second one as backup but not getting any traffic through WAN2 (backup 0/2). Both ISPs provide dynamic IP address and I set ASA to obtain IP address for "outside" and "backup" via DHCP. I need ASA set to switch over second ISP link ("backup" when first one is done or there is some problem and the traffic is not going through it. When primary ISP ("outside") is back, ASA should switch to primary ISP back.

Result of the command: "sho run"


: Saved


ASA Version 8.0(4) 


hostname asa

enable password OmnnXRU1dg.mR encrypted

passwd 2KFQn.2KYOU encrypted



interface Vlan1

 nameif inside

 security-level 100

 ip address 

 ospf cost 10


interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute 

 ospf cost 10


interface Vlan3

 nameif backup

 security-level 0

 ip address dhcp setroute 

 ospf cost 10


interface Ethernet0/0

 switchport access vlan 2


interface Ethernet0/1

 switchport access vlan 3


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


banner login  **************************************************************************************


ftp mode passive

clock timezone EST -4

clock summer-time EDT recurring

access-list icmp_permit extended permit icmp any any 

access-list SSL extended permit tcp any any eq ssh 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu backup 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

access-group icmp_permit in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh inside

ssh timeout 5

console timeout 30

dhcpd auto_config outside


dhcpd address inside

dhcpd auto_config outside interface inside

dhcpd enable inside



threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server source outside

ntp server source outside prefer


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect pptp 

  inspect icmp 

policy-map global-policy


service-policy global_policy global

prompt hostname context 


: end

Open in new window

Question by:MACROLEVEL
    LVL 4

    Accepted Solution

    Here's a link that should help you out.

    "In order to achieve this redundancy, the security appliance associates a static route with a monitoring target
    that you define. The service level agreement (SLA) operation monitors the target with periodic Internet
    Control Message Protocol (ICMP) echo requests. If an echo reply is not received, the object is considered
    down, and the associated route is removed from the routing table. A previously configured backup route is
    used in place of the route that is removed. While the backup route is in use, the SLA monitor operation
    continues to try to reach the monitoring target. Once the target is available again, the first route is replaced in
    the routing table, and the backup route is removed."


    Author Comment

    I already found this example

    but I do not have enough experience to follow it. I need detailed instructions either using CLI or ASDM how to set it up for dynamic IPs. My first provider is cable with modem in bridged mode, second (backup) line is DSL with some kind of router built-in and DHCP server . I do see both IP addresses inside ASDM so ASA did assign them to appropriate interfaces.
    LVL 4

    Expert Comment

    I haven't tested this but I believe this is all you're missing.  

    global (backup) 1 interface

    route outside <Default Gateway of outside from DHCP> 1 track 1

    route backup <Default Gateway of backup from DHCP> 254

    (This route has an administrative distance of 254 so it will not be used if the route with an AD of 1 is available.)

    sla monitor 123
     type echo protocol ipIcmpEcho <external IP you want to monitor to verify that outside is up> interface outside
     num-packets 3
     frequency 10

    sla monitor schedule 123 life forever start-time now
    track 1 rtr 123 reachability

    Author Comment

    Is the GW address for dynamic WAN IPs always permanent? I mean, periodically I'm getting new IP address from ISP. Will the GW address change as well so I have to change it on ASA as well? Also, is there a way to see what is the GW address from ASA for each outside interface?
    LVL 4

    Expert Comment

    One of the problems with DHCP on the WAN is that your providers will most likely change you're IP from time to time; if they keep you in the same subnet youll be fine.  You may want to look into the cost of getting a static IPs.

    You should be able use the command show route outside to determine your gateway

    Expert Comment

    So could we also enable the following:

    crypto map vpn interface outside
    crypto map vpn interface backup
    crypto isakmp enable outside
    crypto isakmp enable backup

    Would it move the tunneling over to the backup ISP?

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Cisco 3650 2 48
    creating route from ASA to 1720 9 36
    Switch - Not showing up on solarwinds 13 66
    Cisco ASA Restarted Suddenly 11 53
    There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now