https://community.cisco.com/t5/network-security/active-standby-asa-with-dual-isp-connections/m-p/3048961#M144924 <P>The private addresses are only examples here. Typically you configure your two outside interfaces with the public IPs that you got from your ISP.</P> Wed, 19 Apr 2017 08:21:47 GMT Karsten Iwen 2017-04-19T08:21:47Z https://community.cisco.com/t5/network-security/active-standby-asa-with-dual-isp-connections/m-p/3048960#M144923 <P></P> <P>Hi All,</P> <P></P> <P>I am very confused about the config for the outside switches for active/standby asa with dual ISP connections. The image below is from the&nbsp;firewall and ips design CVD.</P> <P></P> <P>If the ASA's&nbsp;outside interfaces are in the private address range how does one on the internet access the services behind the firewall if the public routable IP is not on the firewalls? How would vpn access work? Or how would you NAT insides services to the public ip's?</P> <P>Does anyone have a sample config for the outside switches?</P> <P>Inside network----(IN)ASA(OUT)----Private_IP---Outside Switches---Public /30 IP---Internet.</P> <P></P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/dual-isp.png" class="migrated-markup-image" /></P> Tue, 12 Mar 2019 09:14:08 GMT https://community.cisco.com/t5/network-security/active-standby-asa-with-dual-isp-connections/m-p/3048960#M144923 Madura Malwatte 2019-03-12T09:14:08Z https://community.cisco.com/t5/network-security/active-standby-asa-with-dual-isp-connections/m-p/3048961#M144924 <P>The private addresses are only examples here. Typically you configure your two outside interfaces with the public IPs that you got from your ISP.</P> Wed, 19 Apr 2017 08:21:47 GMT https://community.cisco.com/t5/network-security/active-standby-asa-with-dual-isp-connections/m-p/3048961#M144924 Karsten Iwen 2017-04-19T08:21:47Z https://community.cisco.com/t5/network-security/active-standby-asa-with-dual-isp-connections/m-p/3048962#M144925 <P>Thanks for replying. So in that case would it be like this:</P> <P>- ASA primary would have 2 public IP's configured. there would not be any standby IP for each of the public IP's because the isp only provides 1 free public ip. I assume this would not affect failover as the standby ASA would get the&nbsp;same public IP used by the primary during failover?</P> <P>- outside switches will be purely L2 for this traffic. Just trunking&nbsp;two vlans (one for each ISP)?</P> <P>- would&nbsp;there be a duplication of the NAT configuration (one for each outside interface)?</P> <P>- is there any good configuration examples which includes what the NAT config would look like for dual ISP and also outside switches?</P> Wed, 19 Apr 2017 15:33:56 GMT https://community.cisco.com/t5/network-security/active-standby-asa-with-dual-isp-connections/m-p/3048962#M144925 Madura Malwatte 2017-04-19T15:33:56Z https://community.cisco.com/t5/network-security/active-standby-asa-with-dual-isp-connections/m-p/3048963#M144926 <P>you are right with your assumptions. You don't need to have standby IPs, although the detection of failover conditions is limited. But that &nbsp;is probably not relevant in your scenario.</P> <P>All NAT has to be duplicated for both interfaces and you need to have a backup default-route with higher&nbsp;AD configured to your secondary ISP.</P> Wed, 19 Apr 2017 15:37:16 GMT https://community.cisco.com/t5/network-security/active-standby-asa-with-dual-isp-connections/m-p/3048963#M144926 Karsten Iwen 2017-04-19T15:37:16Z