Failover and traffic balancing on 3725

Unanswered Question
Apr 24th, 2008

We have a 3725 router, two ISP's, one is wired and one is wireless. We also have an ASA5520 firewall in place inside the router.

We would like to have failover and also traffic balancing. For example, inbound traffic to our company we want that traffic to come in the wired ISP and all of our outbound traffic to the internet we want to go out the wireless.

Is this possible with our current 3725 and ASA? If so, what must be done, in brief explanation? If not, what our the options for us like buying a new router or a device like BigIP or something similiar?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Sushil Kumar Katre Thu, 04/24/2008 - 09:30


I don't think you can have such a setup. Since you don't have the control on incoming traffic you can't have a link used ony for receiving traffic.

Additionally youhave mentioned that you have got internet connectivity from Two ISPs one wired and another wireless. What you can do is send and receive traffic through both the links if the wireless router supports NAT.

Other wise insert an additional router between the 3700 and the wireless router capable of doing NAT.

Have two default routes on 3700. Configure SAA probes to track wireless link, associate it with the default route for wireless link and let each router do NAT individually.

-> Sushil

m-haddad Thu, 04/24/2008 - 13:22


Here what you can do:

Install the Router in front of the Cisco ASA. Terminate the two ISPs on the router and not ASA. However, you will need one of your ISPs to create a transit subnet with your route and route the public subnet over to your router transit interface.

On the ASA you can NAT the hosts to which ever subnet you want from both ISPs. The ISPs will provide you with two different public subnets. So you can manage the NAT for internal hosts on which ever subnet you like.

The router will get the traffic from the ASA with public subnets. According to the public IP translated on the ASA the router can decide on which ISP to send the traffic. Therefore, you configure PBR on the interface terminating to the ASA to route traffic from ISP1 public subnet to the ISP1 next hop and ISP2 public subnets to ISP2 next hop.

Automatic failover is not feasible because the routes to the subnets from the internet is controlled by BGP peering/routing on the ISP sides. However, you will be able to quickly modify the NAT On the ASA which will direct traffic to the ISP you want.

R1-----F0/0: IP from ISP2 transit subnet |


| F0/1:IP from ISP1

Outside Switch


| E0/0:IP from ISP1

ASA Outside

Default route is R1 F0/1 IP

Hope this helps and appreciate your rating,

Remark: The router should have a static route for the ISP2 public subnet to the ASA for traffic coming back.

Sorry I am in a hurry maybe I am not that clear. It is a complex solution but I have it working for many customers. We keep public services on one ISP and users traffic on another ISP.



This Discussion