Hello,

I'm attempting to research ways to provide ISP redundancy for our network in a datacenter. Currently, we have one L2 hand-off from our ISP that goes into GigabitEthernet0/7 port of the primary firewall (Two ASA 5525-xs in an active/passive config), so this creates a single point of failure. I'd like to order a second ISP connection for backup. I'll more than likely put some switches in front of the ASAs so I can have 1 connection to each firewall from each ISP. My question is regarding this feasibility of this configuration and if I'm on the right track. I looked at doing BGP peering for this , but everywhere I've looked, it seems we are too "small" to do BGP peering since it would require us to have a least a /24 block to advertise, which at the moment I only get a /29 from my primary ISP.

Below I've provided a mock configuration of what the IP SLA would potentially look like on the primary firewall. I understand that IP SLA is more designed for outbound traffic redundancy, but I'm specifically looking to get this to work for inbound services, http/https, smtp, etc. I'll also likely require some DNS manipulation so that in the event ISP 1 goes down, the DNS records would start using records to ISP 2's IP addresses.

One big question I had was regarding my static NAT and object NATs. Is it possible to setup backup NATs that references the public IPs of ISP 2? In my mind, these NAT rules won't be used until there is a failure and we start using ISP 2's IP addresses.

interface GigabitEthernet0/7
nameif outside
security-level 0
ip address 38.x.x.240 255.255.255.242

interface GigabitEthernet0/x
nameif backup-isp
security-level 0
ip address x.x.x.x x.x.x.x

route outside 0.0.0.0. 0.0.0.0 38.x.x.242 1 track 1
route backup 0.0.0.0 0.0.0.0 x.x.x.x 254

sla monitor 123
type echo protocol ipIcmpEcho 38.x.x.241 interface outside
num-packets 3
frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

Any feedback is greatly appreciated.

Thanks,

Kevin