Cisco ASA 5505 Dual ISP Backup

Many small and medium sized businesses are requiring backup paths for their Internet connections while attempting to keep costs at a minimum.  The Cisco ASA 5505 provides a feature called Dual ISP Backup where a company can utilize their main ISP and in the case of an outage, they can utilized a more cost effective solution such as DSL/Cable Internet.  This solution does require a Security Plus license.

Let’s assume that a customer is  assigned a static public IP address of 100.100.100.100 from their primary ISP and another static public IP address of 200.200.200.200 from their DSL/Cable provider.   Ethernet 0/0 will connect to the primary ISP and will be assigned to any VLAN you choose, which in this case will be VLAN2.  Ethernet 0/1 will be connected to the customer LAN and will be assigned VLAN1.  Ethernet 0/2 will connect to the DSL/Cable provider and will reside in VLAN3.

ASA5505(config)# interface ethernet 0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/1
ASA5505(config-if)# switchport access vlan 1
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/2
ASA5505(config-if)# switchport access vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 192.168.100.1 255.255.255.0
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 100.100.100.100 255.255.255.0
ASA5505(config-if)# backup interface vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 3
ASA5505(config-if)# nameif backupisp
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 200.200.200.200 255.255.255.0
ASA5505(config-if)# no shutdown

Next, we will create our SLA statements which will track the availability of our primary ISP link.  The commands are as follows:

sla monitor 10
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
frequency 3
sla monitor schedule 1 life forever start-time now
track 1 rtr 10 reachability

We are sending 3 ICMP packets to 4.2.2.2 which will be 3 seconds apart.  One active ICMP reply will keep the primary link online.  The sla monitor statement tells the ASA to begin monitoring the primary link.  The track 1 statement tells the ASA we are tracking sla statement 10 and using ICMP reachability as the mechanism.

Next, our static route default route statements can be edited to ensure the primary ISP route will follow the sla and the DSL/Cable link will become active in the event of a primary failure.  We do that with the following statements:

route outside 0.0.0.0 0.0.0.0 69.167.65.177 1 track 1
route backupisp 0.0.0.0 0.0.0.0 216.27.149.1 254

You can test the functionality by unplugging the primary ISP link from the ASA.

This solution comes in handy for smaller businesses who require redundant Internet connectivity at a price point.  Cisco also has excellent documentation located on their website at

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

---Resource from ciscocentral.com.au

More Cisco Firewall Tips:

How to Configure Dual ISP on Cisco ASA 5505?

Example Show: How to Configure a Cisco ASA 5540 for Video Conferencing for Polycom Device?

Cisco Released Cisco ASA Software 9.0

Cisco Guide: Migration of Cisco PIX 500 Series to Cisco ASA 5500 Series

How to Configure Cisco ASA 5505 Firewall?