https://community.cisco.com/t5/network-security/switch-primary-and-backup-isp-roles/m-p/4046637#M1067816 <P>Hi,</P><P>&nbsp; &nbsp;&nbsp;</P><P>&nbsp; &nbsp; To prefer one ISP or the other, you play with the AD (Administrative Distance), not the metrics. If you have NAT enabled, when ISP fails, to avoid packet loss, use an EEM script to also clear your NAT table, look at example here:&nbsp;</P><P>&nbsp;</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118049-config-eem-00.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118049-config-eem-00.html</A></P><P>&nbsp;&nbsp;</P><P>&nbsp; If you have NAT configured into your ASA's outside interface for your public resources, you can leave that as it is, and all traffic in/out for those services would go out that ISP. If you want for your user's traffic (Internet access) to go via the second ISP, you make your default route to prefer the second ISP and configure NAT for your users out that interface.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P> Mon, 16 Mar 2020 14:48:41 GMT Cristian Matei 2020-03-16T14:48:41Z https://community.cisco.com/t5/network-security/switch-primary-and-backup-isp-roles/m-p/4046593#M1067814 <P>I recently setup a backup/fail-over ISP using this guide:&nbsp;<A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html</A></P><P>&nbsp;</P><P>We now want to switch over to the backup ISP as the primary for all outgoing internet traffic. However we currently have several NATs setup for outside connections coming in over the current primary ISP, we would like to leave this setup as is so we don't have to re-address anything on the outside.&nbsp;</P><P>&nbsp;</P><P>What's the easiest way to accomplish this? Is it as simple as changing the metrics in the routing table to make the secondary ISP the primary route and <SPAN>vice versa?&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks</SPAN></P> Mon, 16 Mar 2020 13:49:11 GMT https://community.cisco.com/t5/network-security/switch-primary-and-backup-isp-roles/m-p/4046593#M1067814 tim829 2020-03-16T13:49:11Z https://community.cisco.com/t5/network-security/switch-primary-and-backup-isp-roles/m-p/4046637#M1067816 <P>Hi,</P><P>&nbsp; &nbsp;&nbsp;</P><P>&nbsp; &nbsp; To prefer one ISP or the other, you play with the AD (Administrative Distance), not the metrics. If you have NAT enabled, when ISP fails, to avoid packet loss, use an EEM script to also clear your NAT table, look at example here:&nbsp;</P><P>&nbsp;</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118049-config-eem-00.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118049-config-eem-00.html</A></P><P>&nbsp;&nbsp;</P><P>&nbsp; If you have NAT configured into your ASA's outside interface for your public resources, you can leave that as it is, and all traffic in/out for those services would go out that ISP. If you want for your user's traffic (Internet access) to go via the second ISP, you make your default route to prefer the second ISP and configure NAT for your users out that interface.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P> Mon, 16 Mar 2020 14:48:41 GMT https://community.cisco.com/t5/network-security/switch-primary-and-backup-isp-roles/m-p/4046637#M1067816 Cristian Matei 2020-03-16T14:48:41Z https://community.cisco.com/t5/network-security/switch-primary-and-backup-isp-roles/m-p/4046648#M1067818 <P>Its hard if you have static NAT pointing outside to inside, If you rely on DNS, then you have new ISP Public IP also in your Public Manage DNS to Loadbalace.</P> <P>&nbsp;</P> <P>for outgoing you can do with IPSLA Tracking and failover and clear the NAT table also.</P> <P>&nbsp;</P> <P>good discussion here :</P> <P>&nbsp;</P> <P><A href="https://community.cisco.com/t5/routing/nat-timeout-for-failover-w-dual-isps/td-p/2442121" target="_blank">https://community.cisco.com/t5/routing/nat-timeout-for-failover-w-dual-isps/td-p/2442121</A></P> Mon, 16 Mar 2020 14:55:48 GMT https://community.cisco.com/t5/network-security/switch-primary-and-backup-isp-roles/m-p/4046648#M1067818 balaji.bandi 2020-03-16T14:55:48Z https://community.cisco.com/t5/network-security/switch-primary-and-backup-isp-roles/m-p/4046701#M1067821 <P>It just seems like it should be a easy change to accomplish this. The main NAT that's currently being utilized is a VPN Server that host 40-50 connections. Of course on the client end it's pointing to the outside IP (not DNS) of ISP1. That's why we thought it would be easier to just leave that setup the way it is and then just force all internal internet traffic out over ISP2. It would be a time consuming to change the IPs on all those VPN computers to the new ISP2 IP address.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 16 Mar 2020 15:53:04 GMT https://community.cisco.com/t5/network-security/switch-primary-and-backup-isp-roles/m-p/4046701#M1067821 tim829 2020-03-16T15:53:04Z https://community.cisco.com/t5/network-security/switch-primary-and-backup-isp-roles/m-p/4046725#M1067822 <P>Another Option if you would like to use other ISP, you can also PBR to route other traffic you like to use ISP 2</P> Mon, 16 Mar 2020 16:30:32 GMT https://community.cisco.com/t5/network-security/switch-primary-and-backup-isp-roles/m-p/4046725#M1067822 balaji.bandi 2020-03-16T16:30:32Z