Two ISPs and ASA

Unanswered Question
Jul 5th, 2007

Dear guru friends,

I have the following situation. Let me describe it to you:

Two ISPs, coming from two different routers. These routers are connected to a single switch and my ASA is connected to this switch too.

I have to separate some services to go through a specific link and others to go through the other one. The problem is: I have VPNs inside my ASA box, so I cannot use contexts, right?

What could be a solution to this? My two ISPs give me two different CIDRs address block. Using BGP is discarded.

I appreciate!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mauricioharley Thu, 07/12/2007 - 14:35


They are different CIDRs. I know that I can't put two different default routes in ASA, so how can I handle this? One of the links will be specifically to maintain the site-to-site VPNs (coming from dynamic IP addresses). The other one will be for the DMZ servers and the rest of the network (internal users).


Fernando_Meza Wed, 07/11/2007 - 19:38

Hi .. perhaps you could use another router connected to the same switch. This router could be the default gateway for the ASA so that all outbound/inbound traffic is passed from/to the ASA to/from this router. You could then use route maps on this router to select which traffic is to be routed by one ISP link and which one is to be routed out by the other link. This will only work for outbound traffic though.

Just an idea .. I hope it helps .. please rate it if it does !!!

mauricioharley Thu, 07/12/2007 - 14:26

Answering to Fernando and Tim,

The two links are from the same ISP, but use different CIDR blocks, so I cannot simply connect them all together (ASA and the two ISPs's routers into the same switch and just starting to route.

Fernando, are you suggesting OER? Would it be this? Can you please go more deep in your explanation? How exactly would be the master router' and ASA's configurations?

Detail: I have site-to-site VPNs terminating in the ASA, ok?



Do you manage the internet routers or not?

I'd be aiming to have.

Two routers and ASA in the same subnet. Run HSRP between the two routes and default route to HSRP address from ASA.

If you can control the routing on the internet routers then you can specifically control which way you go to the internet (for subnets or AS's.)

The other way (internet to you) will work by default as they are two different CIDR's from differing ISP's.

Hopefully the addressing for the CIDR's is not being used to create the segement for the ASA and two routers. Not such an issue but it helps.

You can use routing or policy routes on the two internet routers to direct traffic to the next hop based on your requirements.


mauricioharley Fri, 07/13/2007 - 07:55

Hi, Tim,

No, I don't manage the routers. I have no access to them. Could you please send me an example configuration (ASA + master router) of how to do this? I just can't understand how routing works in this case.

P.S.: do not forget: I terminate site-to-site VPNs in my ASA. Is there any problem of doing it?

Thanks in advance!


This Discussion