More than 2 ISPs for a ASA5505

Posted on 2011-09-07
Last Modified: 2012-05-12
Hello Experts.

I have a particular customer who's network upon discovery is a complete mess. In order to maintain connectivity at their location they have 5 ISPs at one site. Rather than go the logical method of connecting 2 circuits to a device and allow it to make the decision of what ISP to route through, they have physically split their network up where computers in the same room will use different ISPs. In a warehouse there are 3 PCs on each of the 5 networks. This is their IT consultants idea of "redundancy". I will need to resolve this issue as I do not wish to support that type of network. My question to you all out there is would it be possible to setup more than 2 ISPs for on a Cisco asa 5505. In the past I have setup dual ISP configurations, but none more than 2. Currently they have a watch guard e750 in place, but I do not think that that firewall is capable of handling multiple ISPs in that type of config. Is there a way of configuring more than 2 ISPs on either the watchgaurd or a cisco 5505?
Question by:vtinfo
  • 3
  • 2
LVL 36

Expert Comment

ID: 36497039
The 5505 with a sec plus licence has "dual isp"

Are they using the 5 connections for inbound or outbound connectivity ?

What type of connections are each of the 5 ? Would they be better off replacing four of them with a single connection "fatter" connection and having a backup connection ?

I do work for one place that has a 100mb fibre connection, with FTTC (40mb/10mb) and a WiMax (2mb) as backup connections, but this is on a 5510 active/passive HA pair.
LVL 33

Accepted Solution

MikeKane earned 500 total points
ID: 36497168
I don't think the ASA has the ability to use more than 2 ISPs in an active/passive type of config.    With all ASAs, you can only have 1 default route to 1 ISP at a time, the 2nd ISP is always just for backup.   There is no load balancing at all.      
LVL 36

Expert Comment

ID: 36497188
@MikeKane The 5510 (like all ASAs) cannot do load balancing, but having tracked routes appears to work fine for inbound and outbound NAT/PAT failing over across three connections in sequence.
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

LVL 33

Expert Comment

ID: 36506510
@ ArneLovius -    Correct that you can add routes for specific subnets to other ISPs, however, you can ever only have 1 default route to 1 ISP out through 1 interface.    

So if you want to have dual 'outside' interfaces, each to a different ISP, only 1 of those interfaces can route   The other can certainly route specific subnets, but not a catch-all route.    This also opens up other issues where the session can be establshed on 1 adapter, but the answer comes from another sourced IP....  secure apps don't like this much.    

LVL 36

Expert Comment

ID: 37485617
@MikeKane you can with route tracking, see

this provides you with multiple routes to granted only one will be active at a time for outbound traffic, however you can connect to them for inbound traffic.

Author Closing Comment

ID: 37603739
Thank you for your response. Indeed the ASA can only use the two ISP connections at once. Luckily I had the site in questions re design their incredibly unorthodox network to use only the two connections.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Hardening ScreenOS 8 100
Setting up a remote office over MPLS with 2 Sonicwalls, need some advice on vlan, dhcp, etc 2 71
SD - WAN 2 42
ipsec tunnel comme not up 10 73
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now