Showing results for 
Search instead for 
Did you mean: 

How to direct a 2 sub network to 2 different ISP



With an ASA 5505, i would l like to guide a sub network to an ISP and another sub network to the other ISP.

I have 2 differents ISP.

My major problem is the metric.

I tried with access-list command to force the way out, but it seems that "metric" is stronger than "access-list".

I don't know how to manage such LAB. is that possible with ASA 5505 appliance ?

thanks for your next reply.


9 Replies 9


one more information about ASA 5505, it's a "security plus license".


As Jon Marshall wrote in his post about ASA Limitations, is that because ASA does not support ISP load balancing that

i did not manage to achieve my LAB ?

i guess yes.


Could you please provide the version of ASA that you are running, I am not able to remember the thread but I was able to provide a test config and it worked, so i would like you to kindly provide me the exact requirementa and the version you are using.



Varun Rao

Thanks for your reply !

below is the sh ver command result.

About my LAB, i have 2 hosts in my LAN => P1 and P2

ip address P1 : GW

ip address P2 : GW

GW is the inside interface of ASA 5505.

I have 2 different ISP. (ISP 1 and ISP 2)

Each ISP has a specific eth on the ASA (no trunk).

Each host has a specific NAT Rule to go outside.

i would like that P1 goes outside with ISP 1 and P2 goes outside with ISP 2.

i hope to be clear enough. Ask for more detail.

ASA-5505# sh ver

Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 6.3(1)

Compiled on Thu 04-Mar-10 16:56 by builders
System image file is "disk0:/asa831-k8.bin"
Config file at boot was "startup-config"

ASA-5505 up 14 days 0 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
0: Int: Internal-Data0/0    : address is 503d.e5e5.6308, irq 11
1: Ext: Ethernet0/0         : address is 503d.e5e5.6300, irq 255
2: Ext: Ethernet0/1         : address is 503d.e5e5.6301, irq 255
3: Ext: Ethernet0/2         : address is 503d.e5e5.6302, irq 255
4: Ext: Ethernet0/3         : address is 503d.e5e5.6303, irq 255
5: Ext: Ethernet0/4         : address is 503d.e5e5.6304, irq 255
6: Ext: Ethernet0/5         : address is 503d.e5e5.6305, irq 255
7: Ext: Ethernet0/6         : address is 503d.e5e5.6306, irq 255
8: Ext: Ethernet0/7         : address is 503d.e5e5.6307, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8              perpetual
VLANs                          : 20             DMZ Unrestricted
Dual ISPs                      : Enabled        perpetual
VLAN Trunk Ports               : 8              perpetual
Inside Hosts                   : Unlimited      perpetual
Failover                       : Active/Standby perpetual
VPN-DES                        : Enabled        perpetual
VPN-3DES-AES                   : Enabled        perpetual
SSL VPN Peers                  : 2              perpetual
Total VPN Peers                : 25             perpetual
Shared License                 : Disabled       perpetual
AnyConnect for Mobile          : Disabled       perpetual
AnyConnect for Cisco VPN Phone : Disabled       perpetual
AnyConnect Essentials          : Disabled       perpetual
Advanced Endpoint Assessment   : Disabled       perpetual
UC Phone Proxy Sessions        : 2              perpetual
Total UC Proxy Sessions        : 2              perpetual
Botnet Traffic Filter          : Disabled       perpetual
Intercompany Media Engine      : Disabled       perpetual

This platform has an ASA 5505 Security Plus license.

I read a lot since 2 days about ASA models.

If ASA 5505 (security + license) is not able to manage 2 simultaneous ISP, which CIsco appliance is able to do this ?

I also had a problem to create sub interface on ASA 5505, but now it's over :

"an asa5505 uses switchports, vlan itnerfaces, and switch like commands (such as "switchport access vlan x).

other asa's use subinterfaces - which are then trunked to switches. they use dot1q and are assigned to their vlans using the command "vlan x" in subinterface mode."

have a nice day ++

It's not really why i want, but it's the only thing i found about my issue.

Hi Loic,

indeed thats the only one thing what you can do with the dual ISP. ASA cannot do loadbalancing, but you can use the second ISP as a backup connection.



Hi Adam,

thank you for your reply.

Which Cisco appliance can support loadbalancing ? i just looked but not found answer.

have a nice day,


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers