Dual ISP on ASA 5520

Hello Everyone ,


Is this possible to have Dual ISP connetion on single ASA 5520 , can be both active at the same time , let says LAN1 uses outside 1 and LAN2 use outside 2 and can I have two default route on ASA at the same time Active


Thanks for your time and consideration


  • Hi,

    As far as using Dual ISP is concerned, that is something that is supported on a Cisco ASA, all you need to do is add an outside2 interface and connect it to the second ISP, and add routes pointing to the second ISP.

    But as far as I know, there is no way to send all traffic from LAN1 out outside1 and LAN2 out outside2, for the simple reason that Policy-based routing is not yet supported by Cisco ASA. Static NAT is a know alternative to PBR in specific scenarios on the ASA, but I'm not confident if it would work in your case.


    Thank you.

  • As far as I know you can have redundant ISP ... it means that one will be active and the other will work as backup when the primary fails



    My recommendation will be to use a router with bgp to balance in between ISP links. If you are doing two different ISP you will need a AS public to achieve that.

    Since AS are not that easy to get I recommend load balancing appliances like cisco ACE, F5, link proof.


  • Not sure about the specific requirements but you may want to consider running multiple mode (contexts).


  • Excluding multiple contexts, you cannot have two default routes active in the same time on the ASA at this moment. Dual ISP on the ASA means you have two default routes configured, one primary with tracking/SLA enabled for reliable availability and one backup which takes over when SLA goes down. You can however force certain type of traffic, destination based to be "routed" over the secondary ISP. This implies you have specific static routes configured for those destinations and static NAT in place.  The egress interface selection is a bit different on the ASA, versus IOS, in that if the incoming packet matches an existing XLATE or a static command, the egress interface of the packet is selected without inspecting the routing table, thus forcing packets to exit over certain interfaces. However, once you forced the packet to go in the backup ISP interface buffer, ASA still needs an static route configured for selected destination , so it can find out next-hop, otherwise packet will be dropped.

    Hope this has been useful!

Sign In or Register to comment.