Showing results for 
Search instead for 
Did you mean: 

ASA: Dual ISP - Switch DNS servers by active route? Dual VPN access?



this is a follow up of, which is already marked as solved. The dual ISP setup on my ASA 5505 (SecPlus) is now working, yet there is a problem with the DNS servers and VPN.


Problem 1:

Both ISPs have their own DNS servers, which can only be adressed by using their ip addresses. At the moment I deploy the DNS servers by DHCP to my clients for the main line. If I change the static route to the backup-line, the DNS service of the clients fails.

Is there any way to deploy the DNS based upon the active route? I am quite sure that I am not the only one that has that problem, but I cant find an answer... Using Googles DNS servers is also not an attractive option for me.


Problem 2:

Further there is problem with my IPSec VPN interface. The primary line has a dynamic ip address, while the backup line has a static ip address. My ASA only responds to the VPN connection on the active route (lowest metric). Is there a way to tell ASA to accept VPN on both connections?


Config is attached. Thanks for your help!

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni



I don't think I can give a really specific answer to this but to my understanding there is no real way to modify the DNS servers the DHCP server provides to the clients. There is a command for DHCP WAN interfaces that automatically applies the DNS servers the ASA gets with DHCP to the actual DHCP service that the ASA provides for the clients. But I am not sure if this will really work with 2 different WAN interfaces not to mention that you have the other WAN interface staticly configured and not using DHCP.


I am wondering if the solution would be to have an internal DNS server that would query information through both WAN links. I am not sure if this is possible since I really dont know much about the IT/Server side.


With regards to your VPN related problem I think it boils down to the fact that this is "to the box" traffic so the ASA passes the return traffic through the interface that holds the default route and therefore VPN connections through the secondary WAN link wont work.

Again as a solution I can only think of a solution that really would not be ideal. And that is if you could have a NAT capable device in front of the ASA on the secondary WAN link and PAT the VPN related traffic before it reaches the ASA (from the Internet) then the ASA would be able to forward the return traffic towards that PAT address.


The PAT address could either be from the link network between ASA and the device in front of it (on secondary WAN link) or if the PAT address was not from that network it could be routed on the ASA towards the secondary WAN link. This way you would not require a default route on the secondary WAN link also, just the static route for the single PAT address from where the ASA sees the VPN connections coming from.


- Jouni


Thanks for the answer. Regarding the DNS there are at least some alterantives (public DNS server). Regarding the VPN this would really not be an ideal solution...


Any other ideas?

Rising star
Rising star

For your Problem 1:

I don't think so you can have such setup based on the active route. You can have the primary DNS server pointed through ISP1 and then the secondary through ISP2. So in case if a link fails secondary DNS will take care of the connections.


For your problem 2:

In RA VPN case you cannot do much on the same. Because your source traffic can be any and the return response follows the default path....




Thanks. I already solved it the way you suggested: One DNS server per ISP. The VPN issue I will have to accept it seems...

Thanks for your help.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: