Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Two ISPs and ASA

Dear guru friends,

I have the following situation. Let me describe it to you:

Two ISPs, coming from two different routers. These routers are connected to a single switch and my ASA is connected to this switch too.

I have to separate some services to go through a specific link and others to go through the other one. The problem is: I have VPNs inside my ASA box, so I cannot use contexts, right?

What could be a solution to this? My two ISPs give me two different CIDRs address block. Using BGP is discarded.

I appreciate!

Community Member

Re: Two ISPs and ASA

This is achievable.

Do any addresses out of the CIDR's get used on the routers and ASA?

Or is this a different address range entirely?

You can create static translations using the required addresses from the two CIDR's.

As long as on each router you can route the CIDR to the ASA not a problem.

Community Member

Re: Two ISPs and ASA


They are different CIDRs. I know that I can't put two different default routes in ASA, so how can I handle this? One of the links will be specifically to maintain the site-to-site VPNs (coming from dynamic IP addresses). The other one will be for the DMZ servers and the rest of the network (internal users).


Re: Two ISPs and ASA

Hi .. perhaps you could use another router connected to the same switch. This router could be the default gateway for the ASA so that all outbound/inbound traffic is passed from/to the ASA to/from this router. You could then use route maps on this router to select which traffic is to be routed by one ISP link and which one is to be routed out by the other link. This will only work for outbound traffic though.

Just an idea .. I hope it helps .. please rate it if it does !!!

Community Member

Re: Two ISPs and ASA

Answering to Fernando and Tim,

The two links are from the same ISP, but use different CIDR blocks, so I cannot simply connect them all together (ASA and the two ISPs's routers into the same switch and just starting to route.

Fernando, are you suggesting OER? Would it be this? Can you please go more deep in your explanation? How exactly would be the master router' and ASA's configurations?

Detail: I have site-to-site VPNs terminating in the ASA, ok?


Community Member

Re: Two ISPs and ASA


Do you manage the internet routers or not?

I'd be aiming to have.

Two routers and ASA in the same subnet. Run HSRP between the two routes and default route to HSRP address from ASA.

If you can control the routing on the internet routers then you can specifically control which way you go to the internet (for subnets or AS's.)

The other way (internet to you) will work by default as they are two different CIDR's from differing ISP's.

Hopefully the addressing for the CIDR's is not being used to create the segement for the ASA and two routers. Not such an issue but it helps.

You can use routing or policy routes on the two internet routers to direct traffic to the next hop based on your requirements.


Community Member

Re: Two ISPs and ASA

Hi, Tim,

No, I don't manage the routers. I have no access to them. Could you please send me an example configuration (ASA + master router) of how to do this? I just can't understand how routing works in this case.

P.S.: do not forget: I terminate site-to-site VPNs in my ASA. Is there any problem of doing it?

Thanks in advance!

CreatePlease to create content