We currently have an ASA5505 and are getting a 2nd ISP (both ISPs will have 20 up/down dedicated fiber).

We need to be able to setup BGP/Multi-homing but I have found that the ASA's do not support this. This is due to the fact that they are more firewalls (with the NAT ability) then a router.

What sort of hardware are we going to require for this functionality? We will require two of them to be able to be configured as a failover pair.

Currently, both of our ASA's have Security+ and are set as a failover array.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • 309
  • 2
  • 8
  • 18
  • This is very borderline shopping. We can't tell you which ones are the best value for money or their prices, because we don't know where you are or what sort of a deal you can get, and we're a global site and our local pricing may not reflect yours. I will attempt to remove the shopping portion of the question so it stands a better change of survival. – Mark Henderson Nov 01 '11 at 22:34
  • Are you multihoming with a single IP block between the providers? Thus you have an AS number and PI address space of suitable size to reduce the chances being filtered -- a /24 or larger? Or are you planning on using two ISP's each with a separate public IP block? Makes quite a bit of difference on how to move forward and keep the ASA's. – Weaver Nov 03 '11 at 05:56

2 Answers2


You have a few choices. One possibility is just to put two cheap PCs in front of the ASA5505s. One PC would act as your 'border router' to each ISP and run BGP both with the other 'border router' and with that ISP. You would then have your own ISP network coming out of the border routers, which you could connect your firewalls to.

You can use whatever OS or platform for the PCs you are comfortable with. OpenBSD, FreeBSD, Linux, or router-specific distributions all exceptionally work well at 100Mbps or less.

David Schwartz
  • 31,215
  • 2
  • 53
  • 82
  • Thanks for the advice! I will look into both routes and get this setup. I know Fedora 15 has a lot of awesome features for this (^_^) – Lbaker101 Nov 02 '11 at 15:39

There is a non optmial loadsharing solution for your outgoing traffic. You could create four static routes on your ASA: "One for half of the internet addresses out of one ISP, and another for the other half of internet addresses out of the other ISP" (quoting iTom). And a default route with metric 1 to ISP1 and another default route with metric 10 to ISP2.

Then you track these static routes (SLA Monitoring) with an ICMP echo to, for example, (you'll have to connect each ISP to a differente interface).

So lets say you have the first half of the internet addresses and the default route with metric 1 pointing to ISP1. Then you track them both on the interface connected to your ISP1 and with that ping to

The same to the other 2 routes... and there you go. When you stop pinging from any of your ISPs, 2 of your routes will be removed from the routing table and you'll start using the default route to cover the missing half of internet addresses.

Or you could simplify the solution using an active/standby solution, so you'll only need two routes, a default with metric 1 and another default with metric 10. Then you track only the first one with a ping to When the ping fails the default route with metric 1 will be removed from the routing table and you'll start using the ISP2.

Adriano P
  • 233
  • 3
  • 8