More than 2 ISPs for a ASA5505

Posted on 2011-09-07
Last Modified: 2012-05-12
Hello Experts.

I have a particular customer who's network upon discovery is a complete mess. In order to maintain connectivity at their location they have 5 ISPs at one site. Rather than go the logical method of connecting 2 circuits to a device and allow it to make the decision of what ISP to route through, they have physically split their network up where computers in the same room will use different ISPs. In a warehouse there are 3 PCs on each of the 5 networks. This is their IT consultants idea of "redundancy". I will need to resolve this issue as I do not wish to support that type of network. My question to you all out there is would it be possible to setup more than 2 ISPs for on a Cisco asa 5505. In the past I have setup dual ISP configurations, but none more than 2. Currently they have a watch guard e750 in place, but I do not think that that firewall is capable of handling multiple ISPs in that type of config. Is there a way of configuring more than 2 ISPs on either the watchgaurd or a cisco 5505?
Question by:vtinfo
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 37

Expert Comment

ID: 36497039
The 5505 with a sec plus licence has "dual isp"

Are they using the 5 connections for inbound or outbound connectivity ?

What type of connections are each of the 5 ? Would they be better off replacing four of them with a single connection "fatter" connection and having a backup connection ?

I do work for one place that has a 100mb fibre connection, with FTTC (40mb/10mb) and a WiMax (2mb) as backup connections, but this is on a 5510 active/passive HA pair.
LVL 33

Accepted Solution

MikeKane earned 500 total points
ID: 36497168
I don't think the ASA has the ability to use more than 2 ISPs in an active/passive type of config.    With all ASAs, you can only have 1 default route to 1 ISP at a time, the 2nd ISP is always just for backup.   There is no load balancing at all.      
LVL 37

Expert Comment

ID: 36497188
@MikeKane The 5510 (like all ASAs) cannot do load balancing, but having tracked routes appears to work fine for inbound and outbound NAT/PAT failing over across three connections in sequence.
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

LVL 33

Expert Comment

ID: 36506510
@ ArneLovius -    Correct that you can add routes for specific subnets to other ISPs, however, you can ever only have 1 default route to 1 ISP out through 1 interface.    

So if you want to have dual 'outside' interfaces, each to a different ISP, only 1 of those interfaces can route   The other can certainly route specific subnets, but not a catch-all route.    This also opens up other issues where the session can be establshed on 1 adapter, but the answer comes from another sourced IP....  secure apps don't like this much.    

LVL 37

Expert Comment

ID: 37485617
@MikeKane you can with route tracking, see

this provides you with multiple routes to granted only one will be active at a time for outbound traffic, however you can connect to them for inbound traffic.

Author Closing Comment

ID: 37603739
Thank you for your response. Indeed the ASA can only use the two ISP connections at once. Luckily I had the site in questions re design their incredibly unorthodox network to use only the two connections.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question