Showing results for 
Search instead for 
Did you mean: 

High-availability over dual WAN connections


One of my remote sites acquires Internet connectivity via a cable  modem service.  This goes down intermittently, of course.  I would like  to purchase DSL service from the local telco and configure the edge ASA  (currently a 5505) to use the cable modem path normally ... and fall  back to the DSL path if necessary.

These seems hard to  do.  The edge box would need to evaluate the viability of a WAN path  using some set of tests ... perhaps pings to a handful of major Internet  sites.  If all those pings start failing, it would stall for a minute,  to give the WAN service provider time to recover ... then cut over to  the second path.  Cutting to the second path might mean pushing new DNS  server addresses to clients (or perhaps the edge box would hand out both  sets of DNS servers all the time and rely on the clients to try them  all.)  Once the cable modem provider restored service, the edge box  would stall for a while (ten minutes?  an hour?) and then cut back.

I'm willing to replace the edge box with something  fancier (a bigger ASA or something sold as a router or whatever),  although I'd like to stay under 10K (list) for such a replacement.

Is this a solvable problem?


Stuart Kendrick




you can configure dual ISP on the ASA but this feature is mainly for outbound connectivity. Still you can work out the inbound traffic by using IPs from the new WAN link to allow traffic in to your servers. Like you said you would need some extra work for the DNS.

for the static NAT you could have something like these:

static (inside,OUTSIDE) netmask

static (inside,NEWOUTSIDE) netmask

First you will need to configure the DUAL ISP feature:
I hope this helps.

Turns out I don't need to be concerned with inbound connectivity ... no servers hosted at this site, so the problem is relatively easy.

I see, effectively tracking static routes and failing over to a backup route if the primary becomes unavailable.  The URL you sent doesn't work for me (Forbidden 403), but the following does:



you need to log in first to cisco's website.

Here is another link:

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: