[c-nsp] Dynamic IP VPN clients on a dual-ISP ASA 5505

Frank Bulk frnkblk at iname.com
Mon Feb 15 22:51:17 EST 2010

We have a customer that recently added a second ISP uplink to their ASA 5505
at the hub (headquarters) and would like to migrate some of their spokes
(IPSec) sites to terminate on the new uplink at the hub.  Secondly, they
would like the new uplink to be their hub's primary internet link (using

Their spokes are predominately using SOHO gear on different ISP services
that have dynamic IP addresses, and behind each spoke is a unique private

What Cisco is telling us that if we want to use dual-ISP interfaces that the
spokes cannot use a dynamic WAN IP addresses.  If the spokes have static WAN
IP address it will work -- something with how the VPN session gets setup and
the fact that the default router is for the new uplink, we're told.  But the
client wants to avoid the $10/month charge for a static for each spoke, if
at all possible.

With all the knobs and buttons that the ASA has, I find this a little
surprising.  Does anyone have a similar setup for which they would be
willing to share a configuration snippet?

Here's an abbreviated configuration:

            ASA 5505
             /    \
          ISP #1  ISP #2
            |      |
             |    | 
             |    |
    dynamic IP    dynamic IP
      Remote A    Remote B
192.168.a.0/24    192.168.b.0/24

A bonus would be if HQ could automatically fail over to the other ISP link,

Thanks in advance for any assistance.


Frank Bulk

More information about the cisco-nsp mailing list