Showing results for 
Search instead for 
Did you mean: 

Dual ISP config on ASA5505



I have a small business network with an ASA5505 and an ISP with a static ip and VPN. That works very well now for a long time. As the speed offered by our ISP is quite low, we decided to buy a consumer product from an IPS, that is much faster.

The idea was simple: The ASA should route to the new line ("upc"), as it has a lower metric. A SLA check should ensure that our original line ("outside") with higher metric is used when "upc" goes down. For this i followed the instructions at

However, as soon as i set "upc" to be the route with lower metric, I do not have internet access. I think that I made a simple mistake in the config, probably some NAT issues?

Port "upc" is connected directly to the ISPs router, as the internet line has a dynamic ip address and the standard gateway changes. The config of this router is:

router ip:
dhcp: - 10.0.0150

port configuration "upc" on asa is:
gateway ip:

below is my asa config (i removed sensible parts regarding VPN and masked my static ip). would be glad if you could give me a hint.


ASA Version 8.4(2)
hostname ciscoasa
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
 switchport access vlan 12
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address 178.188.XXX.X
interface Vlan12
 nameif upc
 security-level 0
 ip address
ftp mode passive
clock timezone GMT 0
same-security-traffic permit intra-interface
object network obj-
object network obj-
object network obj_any-01
object network obj_any-03
object-group network obj_any
object-group network NETWORK_OBJ_192.168.1.192_27
access-list Company_SplitTunnel remark Company LAN
access-list Company_SplitTunnel standard permit
access-list inside_nat0_outbound extended permit ip any
access-list inside_nat0_outbound extended permit ip
access-list CompanyTunnelGroup_splitTunnelAcl standard permit
access-list CompanyIPSecProfile_splitTunnelAcl standard permit
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu upc 1500
ip local pool VPNusers mask
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,any) source static any any destination static obj- obj- no-proxy-arp
nat (inside,any) source static obj- obj- destination static obj- obj- no-proxy-arp
object network obj_any-01
 nat (inside,outside) dynamic interface
object network obj_any-03
 nat (inside,upc) dynamic interface
route upc 1
route outside 178.188.XXX.X 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 20608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd dns
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200


1 Reply 1

Vasilii Mikhailovskii
Rising star
Rising star


You are right your NAT configuration is complex.

I would configure something like:

object network MY_LAN1
 nat (inside,outside) dynamic interface

object network MY_LAN2
 nat (inside,upc) dynamic interface

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: