A firewall is just a router with fancy ACL stuff on top. It can only use one default route at a time, so if you're using ISP#1 for internet (i.e. that is your default route) then you'd have to put specific routes via ISP#2 inorder to use that.
You should be able to ping ISP rtr#2, so if you can't:
is there an ACL on that router?
do the firewalls have an ARP entry for rtr#2?
There is nothing fundamentally wrong with your setup but you must be mindful of the routing. This setup will be fine if, for example, you surf via ISP#1 and use ISP#2 for L2L VPNs, where you can add a route for the peer on the firewalls via ISP#2.
Yeah, they use ISP 1 for VPNs and ISP 2 for surfing. The default route is via ISP2, and there are statics via ISP1 for the VPNs etc. This setup replaced a single exisitng FW yet the VRRP addresses used are the same as the physical addresses were on the existing FW so any ACLS shouldnt matter. We got the ISP to clear the ARP table on the router after the change but no joy. We copied the routing table from the old FW to the new primary FW, and no IP addresses have changed.
the problem is that all traffic destined for the Internet (via ISP2) drops at the FW. On a trace route the FW reports that the network (anything out of ISP2), is unreachable. Its as if the FW doesnt have a route to the ISP2 router, although its default route points to it.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...