Showing results for 
Search instead for 
Did you mean: 

ASA/PIX: Load balancing between two ISP - options




Is it possible to load balance between two ISP links?

Presently it is not possible to load balance traffic between two ISP links on an ASA. The reason being, there can only be one default route configured on the ASA.


Does the ASA support PBR (Policy Based Routing)?

No, the ASA does not support PBR.


Does the ASA support secondary IP address on interfaces?

No, the ASA does not support secondary IP address on interfaces.  This is not to be confused with the standby IP address configured on the interfaces for failover configuration.


What other options do we have?

SLA Route Tracking

With this method we can configure both the ISP links on the ASA and use the primary ISP for all outgoing traffic and then the secondary ISP, if the primary fails. Failure of the primary ISP causes a temporary disruption of traffic. Use this configuration for redundancy or backup purposes only.

Refer this link:

PBR on the router outside the firewall

With this method we can configure both the ISP links on the router outside the firewall.  We can translate some traffic to use Primary ISP provided IP address and the rest of the traffic to use Secondary ISP provided IP address.  Now, based on this source address that hits the router, we can configure the router to do policy based routing and route the traffic either via the Primary ISP or via the Secondary ISP.



Let us assume the requirement as below:

1. We would like all the users traffic translated to the ISP1 provided address

2. We would like all the servers traffic translated to the ISP2 provided address

3. The router should look at the translated addresses and based on the address it should set the next hop address and route the traffic via the appropriate  ISP.


ISP1 provided address block is and ISP2 provided address block is These are not routable addresses. For simplicity reasons we are using RFC 1918 address space.


ASA config:

Translation for all users to take ISP 1
nat (inside) 1
global (outside) 1


Translation for web and e-mail servers to take ISP2
static (inside,outside) netmask
static (inside,outside) netmask


route outside 0 0


Router config:

ip access-list ext isp1-addr

permit ip any


ip access-list ext ips2-addr

permit ip any


route-map ISP permit 10

match ip address isp1-addr

set ip next-hop


route-map ISP permit 20

match ip address isp2-addr

set ip next-hop


int f0/0

ip address

ip policy route-map ISP in


Allowing outbound via ISP1 and inbound via ISP2

Let us take the same example above. We can use one ISP1 for all outbound connections and use IPS2 for all inbound connections.


Translation for all outbound connections from users and servers to take ISP 1
nat (inside) 1
global (ISP1) 1

route ISP1 0 0


Here are the translations for inbound connections to the servers:

Translation for web and e-mail servers to take ISP2
static (inside,ISP2) netmask
static (inside,ISP2) netmask


In the previous case even the out bound connections made by the servers would take the ISP2 path but, in this example outbound connections from the web and e-mail servers will take ISP1. ONLY the INBOUND connections will come through ISP2 and will be responded back using ISP2.


Allowing internet access via ISP1 and L2L vpn via ISP2

The above example can also be used to allow internet access outbound and inbound via ISP1 with the default route pointing to ISP1 and VPN site to site tunnels can be terminated on the ISP2 interface by configuring specific routes to reach peer networks via IPS2.

Multiple context mode

The last option is to use multiple context mode where we can load balance on a per context basis.  VPN is not supported in this mode and so are dynamic routing protocols.  Please refer this link for the limitations:


Context-1 could use ISP1 link and Context-2 could use ISP2 link.




Jitendriya Athavale
Cisco Employee

as mentioned above we cannot do load balancing on asa, however we can achieve a wierd requirement by playing around with the nat rules

So if the requirement is such that i want to send all the http and https traffic through ISP2 and the rest of it through ISP 1 we can achieve that, here is how we do it

NOTE:     This stuff requires that we KNOW what the destination ports are,
                 if there is some traffic which uses dynamic ports, like voice traffic
                 we will have to route it via ISP1 and cannot make it route via ISP2.

route ISP1 0 0        //Default route pointing to ISP1
route ISP2 0 0 2     //Default route with Metric 2 via ISP2

static (ISP2,inside) tcp 80 80
static (ISP2,inside) tcp 443 443

sysopt noproxyarp inside

nat (inside) 1 0 0
global (ISP1) 1 interface
global (ISP2) 1 interface

Thats it !! Now all the traffic destined to any address on port 80/443
will be forcibly put on ISP2 interface and routed from there.

Kureli Sankar
Cisco Employee

This is a hack that may cause problems. The ASA knows lives off the ISP2 interface.

Shunns for example may "always" be sent out the ISP2 interface no matter where the IP address lives due to the fact these static pat lines are present.

Marcin Latosiewicz
Cisco Employee

Awesome work Kureli, I'm glad someone wrote if down ;-)


Hi Poonguzhali,

I have read the numerous threads on the support forum abot load balancing on the Cisco ASA and have discovered that it cannot be done. I am proposing an alternative solution and wanted to run it past you to ensure that it will work before we go ahead and purcahse the kit. The situation is this:

I have two Datacentres, DC1 and DC2 which are connected via a layer 2 link and all vlans are spanned to both sites for resilliency. I also have 2 x Cisco ASA 5520 firewalls, one in each DC (active/standby). I was thinking of purchasing two ISR routers and placing these in front of my firewalls; one router in each DC and in front of the firewalls.

The subnet between the ASA firewalls and the routers will be an RFC1918 subnet, eg and I was thinking of running HSRP on the routers and point the default route on ASA firewalls to the HSRP IP address. The routers will have multiple interfaces; one towards the ASA firewalls, another to ISP1 and another to ISP2. The routers will have the public IP addresses assigned to the interfaces relevant to each ISP. The firewall will send all the traffic to the HSRP IP address which will be served by the ACTIVE HSRP address.

What I was thinking was to configure PBR routing on the routers so that outbound traffic to the internet will go via ISP1. The ISP2 link will only be used for inbound VPNs (both remote access and site-to-site VPNs. Again, I was thinking of using PBR to route the VPNs back via ISP2. For my remote access VPNs, I was thinking of having multiple profiles configured on the VPN client so that if ISP2 is down the users can try the second policy via ISP1; I will have IP Pools configured on both routers so that users get an IP address assigned to them regardless of which ISP they use.

For my site-to-site VPNs, I am not sure how this will work in the event that ISP2 fails?

Do you think this setup will work and can you see any issues with this setup? Your input willbe greatly appreciated..

lucas restrepo


I have to set up this model but i have to terminate vpn l2l as well as remote access over to ISP links.

when i try to set up the nat for the two ISP to send the traffic to the firewall  and i set up the port 500 on bouth links one of the entries get deleted and i can only have one. but i don't see how this can be a problem since i and nating over two diferent IP to the same internal IP. is there any way a can do this or i have to definitly do the vpn termination on only one IPS.

and can any one help me with a basic configuration on how this can be done.

Best regards.



I know it has been a long time since this thread was active, but I am attempting to POC the PBR architecture you have for a customer, but their ASA version is now, of course post 8.3.  I am having issues getting the model to work correctly and since my 2801's PBR counters are not incrementing, I suspect the 8.4.x ASA NAT config is not correct.  Could you post the recommended ASA configuration for your model using the newer ASA object code?



Hi Kureli,


Is it possible to terminate a site 2 site VPN to anything other than the outside interface on the ASAs?



Content for Community-Ad