Two ISP's and Cisco 5510

merker19 used Ask the Experts™
Hi- I will be upgrading the ISP for my site and I was wondering what the best way to do that would be, especially in regards to our email server. I've done some research and it appears that I can connect two live ISP connections to my Cisco ASA 5510, but that I can only have one ISP connection live at any one time --so basically one is active and the other is the failover. So basically, I have:

ISP A - Old ISP, which will be retired in 8 months
ISP A Public IP
ISP B Public IP

I have the live Cisco ASA 5510 and a spare Cisco ASA 5505.

What's the best process for this?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Configure for the average dual ISP scenario

You'll need to make sure you have all outside ACL's and NAT's lined up, but for the most part it's a straight-forward process. Make sure you are consoled in when making the routing (track) changes as it can remove the default route completely if anything isn't right.

As for the email server, make sure your NAT and ACL's are set correctly. You'll need both reverse DNS records to be created, and your MX records can have priority set to prefer your primary ISP.
better to put each ISP in different VRF like VRFA and VRFB and create IPSec tunnels over those vrf.

since you want to make Acitve/passive then use tunnel delay/BW properties.

like VRF A primary link TunnelA primary tunnel--delay 1000
VRF B secondary link TunnelB secondary tunnel-delay 5000


My apologies. I didn't complete my request.

I've seen that I CAN do the active/failover configuration with tracking on the Cisco ASA 5510, but I would like to have a scenario where I can have both ISP's working at once with:

User Group A using ISP A
User Group B using ISP B

The email server is on the DMZ on ISP A. Would it be possible to make it accessible by ISP B as well? To aid in the migration of the MX record? Or is there a better way? Thanks.
The ASA can't do policy based routing, so you can't get the ASA to have two "default" routes. If you were to configure for multiple contexts, each context could have it's own default route to allow you to utilize both ISP links at the same time. Each context would end up needed to be configured for ISP failover otherwise the loss of one ISP would mean the loss of connectivity for one whole group of users. This also means that each context requires a public IP on both ISP's so the ASA alone would take up 2 IP's per ISP.

As far as the outside world reaching the email server, the setup is pretty easy. You just need both reverse DNS records to be configured - there is nothing special that has to be done with this. Your MX records would end up like this. Let's say currently your MX record is with the default preference of 10. You would need to add an additional MX record of, say, with a preference of 20. This way, any mail sent by you, regardless of which ISP it goes through, will have a correct reverse DNS record (both reverse records reference the primary, NOT because you only have the one server). When someone send you email they will try the MX record with the lowest preference and if it times out it will try the next record in order of preference.
The email server/DMZ only needs to be in one of the existing contexts to be able to communicate with the outside world. The challenge will be communicating with internal machines. Your PBR would have to be able to direct that traffic appropriately, or your email server would need to have two interfaces - one with a default route for the internet, and the other connected internally with static routes to your private addresses.

Prior to users hitting the ASA you would have to come up with some way to either policy route, VRF, or separate via vlan to ensure that A users enter Context A and B users enter Context B. I assume you want users to be able to communicate with themselves directly so the vlan idea probably won't work and you'll end up needing to do PBR or VRF's with route sharing.

My personal recommendation would be to live with a failover-only scenario and don't bother with the headaches involved with getting an ASA to act like a load-balancing router/firewall, especially if you're getting rid of one of the ISP's in less than a year. It's a great idea in theory, but in practice it's pretty tough and comes with compromises.

Oh yeah... if you do multiple contexts you can no longer do remote access VPN, and a site-to-site vpn would end up needing one tunnel per context for each destination.


Thanks. It gives me some things to think about.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial