Cisco Support Community
Community Member

ASA 5510 with 2 Internet connections

Hi There,

We have a ASA 5510 that has 2 internet connections and one inside network connection. It has been configured so that one Internet connection is used for all our Internet Usage and VPN usage.

The second internet connection has been configured purely for one dedicated VPN connection.

On the odd occassion we have had some issues with our main Internet Service Provider and the 1st Internet connection will go down. This means our entire office is unable to access the internet and all the VPN connections on that interface go down as well.

Is there a way to have outbound traffic from our internal network fail over to the 2nd internet connection that we have setup?

I have tried to configure it, but I think the problem may be due to the fact we are using PAT to translate internal addresses to our external address.

Any help would be greatly appreciated.


Re: ASA 5510 with 2 Internet connections

Community Member

Re: ASA 5510 with 2 Internet connections

This is exactly what I am after... though I will need to update my ASA. The article says it requires 7.2(1) or later. We are running 7.0(7). What is the recommendation with upgrading the ASA?

I have read that upgrading to 7.2(x) can cause stability issues and you should only upgrade if you require certain feature or to resolve bugs.

Do we upgrade to the 7.2(1) as this is all we need or do we upgrade to version 8.x??? What are potential problems with upgrading? And how can we minimize the problems?

Re: ASA 5510 with 2 Internet connections

Phillip, indeed , I have as well read may comments,it all depends on your environment as they all differ from one another, you best bet is to have a good solid plan for upgrade and fall back. You do have a justification to upgrade for features needed, so I would suggest the following:

1- Do a search again in forum for ASA code upgrades and look at comments from users that have gone through this process and note their impact in fuctionality if any. I believe this is good resource to collect information .

2- Very important , look into release notes for a particular version. For example version 8.0, look into open CAVEATS usually at the end of the link page, reading the open bugs gives you clues what has not yet been resolved for that particular code and if in fact could impact you in your environment, it is possible that a particular bug does not realy apply to your environment becuase you have yet not implemented that particualr configuration. Usually we all try to aim towards a GD (General Deployment) code which is what we all understand is most stable but not necesarily means you have to be stack in that code waiting for another GD release, in my personal experience I have upgraded our firewall from 7.2 to 8.0(3) long ago and had no issues, and recently upgraded to 8.0(4)when it was first release in August this year.

Release notes

3- AS a good practice precaution -

a-Backup firewall configs in clear text as well as via tftp code.

b-Backup running code and ASDM version code currently running in firewall.

c- Save the output of " show version " to have as reference for all the feature licenses you currently have running as asll as activation keys - good info to have to compare with after upgrade.

d- Ensure that the code you will be using to upgrade also uses correct ASDM version code.

I think with thorough assesment and preparation you can indeed minimize impact.



Community Member

Re: ASA 5510 with 2 Internet connections

Thanks! We have successfully upgraded to 7.2. I have also tested the Link posted about setting up the use of a Backup ISP. It cuts over to the second static route for the Backup ISP fine... but the problem now is NAT. I get translation errors. And when I attempt to create a new NAT rule for the Backup ISP, it will not allow me to, as it says I already have one configured. Any Ideas?

We are using PAT with using the Interface IP on the Primary ISP... and we would like to configure the same on the Backup ISP. Is this actually possible?

CreatePlease to create content