Showing results for 
Search instead for 
Did you mean: 

Dual ISP without BGP and a firewall

Hey all so first post so forgive me if I miss something critical.

This has been doing my head in now for a couple of weeks and Im hoping to bounce it around in here for a bit of assistance.

Basically I have a customer who has two ISP circuits which I plan on plugging into a 2911.  Now I have configured it like this document

This bit I have working fine. 

So here is my topolgy


Ok so onto the next bit

ISP B was originally plugged into an ASA5510.  So on this I have a whole world on NAT and PAT translations for internal servers.  My external interface on the ASA was the address and I PAT for all internal going outbound.  Static NATs are assigned to the /29.  So my new topology now looks like this.


What I need to know here is how do I get from firewall to router.  If I asssign another /32 between fe0 and gi0/0 do I not end up doing double nat?  The end user also manages the firewall at the moment and I dont want to have to do the translations on the router.  Is this even possible?  I have search the internet for many many hours now trying to find an example but have failed miserably.

But I only want my existing NAT through ISP B.  I am using Policy Based Routing on these as I have specific traffic I need to go through ISP A.

Appreciate everyones feedback as Im now numb trying to find the solution.


I think the only way you'll avoid doing NAT on the router itself is if you can use one of your /29 addresses as the new outbound PAT address on your ASA.  Either way, you're going to have to create a new /30 range between the ASA and the 2911, and the 2911 will need to have routes to your /29 pointing back to the ASA.

If you don't have an extra address, you'll have to do a PAT on the router interface.