Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CISCO ASA backup ISP and VPN

we have a two ISP solution, using cisco 5505 and work fine with tracking.

(route outside a.b.c.d 1 track 1)

We have site to site VPN and this use Primary ISP's IP.Now we need to configure the same with ISP2 IP , incase ISP1 is done, we still have VPN Link is up with backup line with ISP2.

Is this possible as destination site is just one IP.

joe Bronze

Re: CISCO ASA backup ISP and VPN

Good evening,

Yes there is a solution for this... what is the device the ASA 5505 is connecting to?

If its another ASA or a IOS router you can make the ASA 5505 a EZVPN client in network extension mode... that way you can connect the ASA to the vpn peer from either ISP 1 or 2 (depending on which one is active per the tracking).

Here is a link that explains this feature

Note: only the ASA 5505's can do EZVPN client

This link should help you get started!



New Member

Re: CISCO ASA backup ISP and VPN

Hi Joe,

Thanks for the reply.Currently i have a site to site vpn establish through ISP 1.But in case of ISP 1 down, i have no VPN through ISP2.

So i need to configure VPN through ISP2 as well.

(In our case we have NATed ipsec traffic requested by remote datacentre)




joe Bronze

Re: CISCO ASA backup ISP and VPN


the ASA 5505 acting as an ezvpn client will establish a "lan-to-lan" tunnel when in "network extension mode" over either ISP 1 or 2 using the active default route to determine the pay to the ipsec peer.

You will need to config the other side as an IPSEC ezvpn server (either a PIX, ASA, or IOS router or VPN 3000 concentrator can do this).

Once the ASA 5505 connects, its private subnet will be learned and the tunnel will come up.

Read through that doc link I posted and let us know if we can be of a help. This weekend I'll have time to give out some sample configs from my security workbook if necessary.


New Member

Re: CISCO ASA backup ISP and VPN

So you mean to say, once we configure L2L using intface "outside" (IP from ISP1), we can also configure the same L2L to fall back with ISP2 for interface "backup"


Is it just apply

isakmp enable outside

crypto map outside_map interface outside


isakmp enable backup

crypto map outside_map interface backup

CreatePlease login to create content