Showing results for 
Search instead for 
Did you mean: 


ASA 5520 Routing With No ISP CPE

Hello Experts,

I have an interesting situation that I can't find a Cisco supported configuration for. My customer has a pair of 5520's setup in a failover pair and has two internet connections. The primary ISP has an Adtran router onsite, but the backup ISP did not provide a CPE router. I only found this out when I was onsite and needed to get it working otherwise I would have suggested purchasing another router.

I am trying to find out if this would be a supported configuration.

Here are the important parts for the way I got it working to fail over to the backup ISP and still provide outside access to critical applications. I substituted private IP addesses to protect the customer's identity.

interface GigabitEthernet0/0

nameif outside-primary

security-level 0

ip address


interface GigabitEthernet0/1

nameif outside-backup

security-level 0

ip address


object network SVREX2010-PRIMARY

nat (inside,outside-primary) static

object network SVREX2010-BACKUP

nat (inside,outside-backup) static

route outside-primary 1 track 1

route outside-backup 10 track 2

sla monitor 10

type echo protocol ipIcmpEcho interface outside-primary

num-packets 4

frequency 10

sla monitor schedule 10 life forever start-time now

sla monitor 11

type echo protocol ipIcmpEcho interface outside-backup

num-packets 4

frequency 10

sla monitor schedule 11 life forever start-time now


track 1 rtr 10 reachability


track 2 rtr 11 reachability

So as you can see the primary internet is all on the same IP subnet, but the backup NAT object is an IP address on a completely different subnet than the "outside-backup" interface. As a note, this is working perfectly and it is only a temporary situation, but if it would be supported I may end up using this configuration again as a perminent solution.

Thanks much for any advice!



I could not really understand the topology but the configuration will work fine as long as the ISP has a route for poiting to the ASA.

This is possible because the ASA proxy arps for an IP on the NAT even though in not on the same range as the interface.

FYI: this stopped working on 8.4.3 and an enhacement was added to enable it again.

After a command was added to allow this funtion again: 'arp permit-nonconnected'

Enha ID :


I dont see why you created sla monitor 11, you only need to monitor the primary route.





Just to add something to the great answer of Felipe,

If you are going to build UDP connections across the ASA be careful with the fact that when the ASA triggers SLA and you start using the backup interface everything will flow as expected but when the Primary interface comes back and preemption happens the ASA will not torn-down and re-built the connections via the Primary interface and will still use the backup (even when the primary is up).

The UDP session will be rebuilt-using the Primary interface until the connection gets deleted (with UDP that could take a lot)

This will generate issues with UDP traffic so be careful and add the following command

timeout floating-conn xx:xx:xx

This time set on the previous command will be the time the ASA will wait before turn the connection down and rebuilding it with the new Primary interface,



Julio Carvajal
Senior Network Security and Core Specialist
Content for Community-Ad