Dual ISP’s on ASA
Starting from version 7.2(1) and upwards, the Cisco ASA 5500 series firewall supports now the Dual-ISP capability. You can connect two interfaces of the firewall to two different ISPs and use the new “SLA Monitor” feature (SLA=Service Level Monitoring) to monitor the link to the primary ISP, and if that fails, the traffic is routed to the Backup ISP
Assume that the Primary ISP (ISP-1) has assigned to us the public IP address 100.100.100.1 with gateway 100.100.100.2. Also, the Backup ISP (ISP-2) has assigned us the public IP 188.8.131.52 with gateway 184.108.40.206. Normally all traffic should flow through ISP-1, but if the physical link (or route) to that ISP fails, then traffic should be redirected to the Backup ISP. We can configure an SLA monitor service which will be checking every 10 seconds (using a ping echo request) the availability of the primary Gateway IP address (100.100.100.2). If there is no response in 3000 milliseconds (3 sec), then the default route will be redirected to the Backup ISP. The configuration is shown below:
asa5500(config)# sla monitor 100 asa5500(config-sla-monitor)# type echo protocol ipIcmpEcho 100.100.100.2 interface outside asa5500(config-sla-monitor-echo)# timeout 3000 asa5500(config-sla-monitor-echo)# frequency 10 asa5500(config)# sla monitor schedule 100 life forever start-time now asa5500(config)# track 1 rtr 100 reachability asa5500(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1 track 1 asa5500(config)# route backup-isp 0.0.0.0 0.0.0.0 220.127.116.11 254
Of course the configuration above assumes that you have already configured two interfaces connected to the ISPs, the first one with name ‘outside’ (security level 0) and the second one with name ‘backup-isp’ (security level 1).
To check the current sla state:
show sla monitor operational-state