Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA redundancy with Internet


I have a cluster of Cisco ASA, and the exit to Internet is via two connections (one for each FW) with two routers configured in HSRP for redundancy. Currently one of these routers is the active HSRP, so all outgoing traffic goes through one of this routers.
The default route in each ASA is for PUBLIC´s interface the HSRP of Internet routers.

We want to change this, and make the Internet traffic exit be through both routers and we are going to create another HSRP group in routers to be active for the half of connections.

If we add two networks to cover the entire range covered by the default route and each one comes out by a different HSRP direction, is this possible?

destination      Netmask       Gateway            Interface        HSRPgroup1      PUBLIC       HSRPgroup2      PUBLIC

Can i have any problem with this configuration?

Thanks in advance!


ASA redundancy with Internet

Hi Bro

To do this you'll need to run your Cisco FW in ACTIVE/ACTIVE (multiple context) mode. You'll then create 2 contexts i.e. CONTEXT1 and CONTEXT2. Each of these contexts will have a separate default gateway pointing to Cisco Router1 and Cisco Router2 respectively.

For backup purposes, you could also deploy IP SLA, so that in the event either Cisco Router1 or ISP1 goes down, CONTEXT1 could use Cisco Router2 as the temporary default gateway.

To achieve this, please do ensure that your OUTSIDE interfaces in both the contexts and both the Cisco Routers LAN interface are in the same network address, assuming the Cisco Switch that’s sitting in between both the Cisco ASA FWs and both Routers are L2.

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
Community Member

ASA redundancy with Internet


Thank you very much for your response, but the problem I have is I want to do load balancing to  Internet, keeping my current configuration of the ASA (active / standby)

To do this I added a second HSRP group in my Internet routers, and I intend that all traffic through ASA, go to a router or another depending on the routes added in the ASA:

destination Netmask Gateway Interface


I know that It is not a very common solution, so I wonder if anyone has tried it or know any impediment to this configuration to work...

ASA redundancy with Internet

Hi Sdurn,

Yes you can do that. Make sure that you have to do this with the backup routes as well correctly. But this will not give a 50-50 load balancing any how as we don have control over that. But you can try out that.

Please do rate for the helpful posts.



ASA redundancy with Internet

Hi Bro

The design that you have in mind, doesn't seem right, in my opinion. However, if you still insist on this design, then you can achieve this. This is how you'll do it. Your Cisco ASA will have a default gateway, point to Router-A which is connected to ISP-A. Router-A will then have PBR + IP SLA configured. This will ensure certain source network address to go out to the Internet via ISP-A and some via ISP-B. In the event, ISP-B fails, for example, all outgoing network traffic via ISP-B, will use ISP-A for the time being, till ISP-B is UP and running. This is ACTIVE/ACTIVE.

Creating 2 HSRP Groups won't do the trick here!!! Of course you could have 2 default gateways pointing to Router-A and Router-B with the same metric to achieve ACTIVE/ACTIVE, but this is not right.

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
CreatePlease to create content