Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member


Hello Everyone,


I have a need to multihome out two MAN links to the same ISP. The two links will connect via an ISR and will participate in an eBGP adjacency. On the internal side, iBGP will be used to create the alternate default route to the ISP. Each of the ISR’s downstream ports participates on the same Ethernet subnet. On the same subnet/broadcast domain, there are two ASA5510 appliances that will use HSRP to advertise the public IPv4 addresses and will NAT them into the private network.


My question is, since the ASAs do not participate in BGP, and since we are going to NAT the traffic eliminating the need to use a route map to inject the default route into the downstream EIGRP network, would I simply build a static default route in the ASAs out the upsteam interfaces?  My initial thought is to not worry about recursive lookups because they are connected via Ethernet.

ip route fa0/0; and so on.

I’ve attached a simple topology for reference.





Everyone's tags (4)

First of all ASAs do not run

First of all ASAs do not run HSRP. I think you are talking about failover Active/Active which works completely different so make sure u got that first.


I still am not sure about your deployment meaning do not understand what are those L2 switches doing there with the iBGP arrows going to the ASA.

I would say instead of iBGP use EIGRP or OSPF which is actually supported on the ASA, that way you can dynamically switchover whenever needed.






Julio Carvajal
Senior Network Security and Core Specialist
Community Member

Yes Jcarvaja, HSRP is not a

Yes Jcarvaja, HSRP is not a feature on the ASAs, and yes HSRP is difficult to setup natively to support active/active load balancing on any device. That's not really the point though is it. FHRP's are typically used for distribution switches and finely tuned to access layer 2 and layer 3 convergence, unless using GLBP (and even then should be considered). My mistake for using the term HSRP and thank you for pointing it out.


As for the iBGP links, they represent the same subnet as I mentioned. The cat switches are there to facilitate physical restraints as each pair of ISRs and ASAs are two miles apart. Since the ASA's are performing NAT, they don't really participate in the BGP network and there is no need or capability to inject the BGP default route into the EIGRP network. They will participate in the downstream EIGRP network. If the MAN connection on one ISR goes down, then the iBGP route to the Internet will be graduated. I guess I could have indicated on the drawing that these were all a part of the same subnet. 


How do I configure the ASA's static default route? Wouldn't I be able to inject  a static default route in each ASA using the ASA's outside interface when using active/active? If I have to, I could see if we can use EIGRP on the network upstream of the ASAs if there is no other way of doing this, but this is not preferred.


Any help you can provide is greatly appreciated. 


Thank you...Matt

CreatePlease to create content