Small office with dual-ISP (ASA or 871)

Unanswered Question

Right now, the office has an ASA5505 and a single ISP. That ASA has an IPSec tunnel to another ASA5505 at a remote site. We want to migrate the phone system to a hosted VoIP provider, so we are interested in a second ISP. I understand the ASA5505 does not to PBR or load balancing, but I'm looking for a creative method to have www/vpn traffic go out ISP-A and VoIP traffic go out ISP-B. Should ISP-B be unreachable, all VoIP traffic will rollover to ISP-A. The VoIP traffic is key, the www/vpn traffic does not need to be as reliable.

My thoughts were to use ISP-A as the default gateway, but have two route statements for the VoIP traffic. Assuming the VoIP provider is, I would have:

interface vlan1

nameif inside

security-level 100

ip address

interface vlan2

nameif isp-a

security-level 0

ip address 66.X.X.X

interface vlan3

nameif isp-b

security-level 0

ip address 72.X.X.X

route isp-a 66.X.X.X 1

route isp-b 1

route isp-a 2

I understand I will have to purchase the Security Plus license in order to use 3 VLANs at once, but will the above work?

Would I be better off using an ASA5505 or the 870 Integrated Services Router for this? I know the ASA will server better as a firewall and vpn endpoint, but which device will handle the dual ISP situation better, assuming ~20 users?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jasonhumes Mon, 02/23/2009 - 12:36

Active/Active vs Active/Standby is a function of HARDWARE failover, not connection/ISP failover. Just a heads up. Thanks


cuchara61 Tue, 04/21/2009 - 14:17

That config requires Sec+ license. There are several "sales" references to being able to have backup ISP with the base license (see .jpg). Has anyone accomplished this or know here to see sample config? Thanks.

jasonhumes Wed, 04/22/2009 - 04:21

Yes, with the base license, you can have a backup ISP...NOT a load balance, nothing fun like that. But it is very easy to setup a second internet feed to come up in the event the primary drops and then switch back when the primary returns....through the use of SLA and track statements tied to the default route of the primary. Let me know if this is along the right track. Thanks


cuchara61 Wed, 04/22/2009 - 10:46

Yes, that is what I need, but the only examples I can find use a 3rd vlan with a 3rd nameif which I can't do with base license.


jasonhumes Wed, 04/22/2009 - 10:49

Yes, you need to create another nameif, such as backup...and then set 'no forward vlan xx' where xx is your primary nameif interface.

So you'd have inside (vlan1), outside (vlan99), and backup(vlan98), with backup set to 'no forward interface vlan99'. This will allow the inside to talk to both outside and backup, but backup can't talk to outside. This allows for dual ISP, but kills DMZ as per Ciscos intention. Thanks.


jasonhumes Wed, 04/22/2009 - 10:51


interface Vlan1

description Inside

nameif inside

security-level 100

ip address


interface Vlan98

no forward interface Vlan99

nameif backup

security-level 0

ip address xx.xx.xx.xx


interface Vlan99

description Outside

nameif outside

security-level 0

ip address pppoe setroute

global (outside) 1 interface

global (backup) 1 interface

nat (inside) 1

route outside xx.xx.xx.xx track 1

route backup xx.xx.xx.xx 254

cuchara61 Wed, 04/22/2009 - 10:58

Yes, that is the example stated in numerous places, but with a base license you can not have a "nameif backup" as you are not allowed to name a 3rd vlan. The sales lit talks about having a backup ISP using 2 vlans, but i can find no reference anywhere on how.



jasonhumes Wed, 04/22/2009 - 10:59

Yes, you can, but you have to put the no forward command first, then you can nameif it. I do this exact config all over the place and it works 100%. Thanks.

cuchara61 Thu, 05/07/2009 - 11:54

OK, a little while later and I am now able to get the 3 VLANs up, and I can get the default route moved to the new 3rd VLAN - a 2nd DSL install. Problem now is that even though I have left the VPN's on the original DSL and entered static routes, they do not come up. Config is attached. I am trying to get VPN's over "outside" and everything else over "dsl2".

jasonhumes Thu, 05/07/2009 - 12:04

Your nat and global statements are breaking this. Also, depending on the version of code, you may need to add static routes for those private nets, 192.168.5 and 10.11.1 through outside. Thanks.


This Discussion