How to Configure Dual ISP on Cisco ASA 5505?

2023 SEASON SALE Networking and Security Showcase In-stock ICT products at exclusive discounts

This is article that explains how to configure dual ISPs on a Cisco ASA 5505 firewall for redundancy purpose. Suppose we have a primary high-speed ISP connection, and a cheaper DSL line connected to a Secondary ISP. Normally all of our traffic should flow through the high speed primary ISP. If the primary link fails, the secondary DSL connection should be utilized for Internet access. Please note that the above scenario is valid only for outbound traffic (i.e. from our internal network towards the Internet). The below configuration will works for ASA 5505 version 7.2(1) and above.

Now we assigned a static Public IP address of 150.150.150.2 from Primary ISP and another static Public IP address of 160.160.160.2 from our Backup ISP. We will use Ethernet 0/0 for connecting to Primary ISP, Ethernet 0/1 for connecting to our Internal LAN, and Ethernet 0/2 for connecting to our Backup ISP. We will create three VLANs to support our configuration. VLAN1 (the default Vlan) will be assigned to Ethernet 0/1 (inside), VLAN2 will be assigned to Ethernet 0/0 (primary-isp) and VLAN3 will be assigned to Ethernet 0/2 (backup-isp). We also have to configure two static default routes pointing to the ISP gateway address. The primary ISP default route shall have a metric of 1 and the backup ISP default route shall have a metric bigger than 1 (let’s say 2).

Let us see the configuration below:
ASA5505(config)# interface ethernet 0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/1
ASA5505(config-if)# switchport access vlan 1
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/2
ASA5505(config-if)# switchport access vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 172.16.1.1 255.255.255.0
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif primary-isp
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 150.150.150.2 255.255.255.0
ASA5505(config-if)# backup interface vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 3
ASA5505(config-if)# nameif backup-isp
ASA5505(config-if)# security-level 1
ASA5505(config-if)# ip address 160.160.160.2 255.255.255.0
ASA5505(config-if)# no shutdown

ASA5505(config)# route primary-isp 0.0.0.0 0.0.0.0 150.150.150.1 1
ASA5505(config)# route backup-isp 0.0.0.0 0.0.0.0 160.160.160.1 2

Tutorial from https://www.ciscoconsole.com/

More Notes:

A Cisco user’s Dual ISP configuration issue of Cisco ASA from Cisco’s Support Community

I am trying to configure dual ISP on my ASA5505 (Security Plus license). I have everything configured and working when eth0/0 is connected, but when I disconnect it, it doesn’t route any traffic. The static route for the primary isp is removed and the static route to the backup isp shows up, but no traffic goes in or out. I should note that I’m doing this as a proof of concept so eth0/0 is connected to a router and eth0/1 is connected to another router.

Here is my show route output when eth0/0 is connected:

Gateway of last resort is 172.16.1.254 to network 0.0.0.0

C 172.16.1.0 255.255.255.0 is directly connected, primaryisp

C 192.168.5.0 255.255.255.0 is directly connected, inside

C 10.10.10.0 255.255.255.0 is directly connected, backupisp

S* 0.0.0.0 0.0.0.0 [1/0] via 172.16.1.254, primaryisp

Here is my show route output when eth0/0 is disconnected:

Gateway of last resort is 10.10.10.254 to network 0.0.0.0

C 192.168.5.0 255.255.255.0 is directly connected, inside

C 10.10.10.0 255.255.255.0 is directly connected, backupisp

S* 0.0.0.0 0.0.0.0 [10/0] via 10.10.10.254, backupisp

Here is my config: