Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA with 2 ISPs

I'm thinking about firewalling off 2 WAN links from 2 ISPs with just one ASA. I'm going to setup second and third interfaces facing the WAN and treat them as if they were individual and just add routing to forward traffic as needed. I know of a setup where you can have redundancy with a fallback ISP but these 2 WAN links are going to be live at the same time. Is there anything I should be aware of, or is there a white paper that has a sample config I can look at?



Re: ASA with 2 ISPs

The ASA supports only 1 Route outside.

If you terminate both links on the ASA

Policy Route is not possible on ASA

Then you have to manually change the outside routes the alternate ISP if your main ISP goes down. 2 DMZ option also will not be possible.

Best option is to terminate both the Links on the Internet Router & do a policy Route on the Interet router.

New Member

Re: ASA with 2 ISPs

That's fine. But say for example I have 2 networks outside, A, and B. I can't set a route on the firewall to direct all traffic destined for network A to go to router A and traffic to network B to go to router B (leaving a default route to go to either one of those routers)?


Re: ASA with 2 ISPs

The ASA is not really designed to do that. Load balancing is not possible with 2 external links. You could do route tracking to failover to second ISP if primary failed.

You could also create 2 routes. Once for half the Internet and 1 for the other half. However, if you where hosting any services (web or mail) if the connection came on 1 ISP but the route on ASA sent it out the other interface the session would not established.

You could setup 1 interface as the default route on the ASA. Setup 1 or 2 routers on the edge of ISP as your gateway (2 w/ HSRP). Load balancing would be at the router level. But because you have 2 separate ISP's and 2 different subnets it becomes more of a challenge. Unless you could get them to advertise each others subnets (not likely) and use BGP to update the ISP. Other wise you would have to configure any NAT you need on the routers not the ASA.

Hope this helps!


CreatePlease to create content