Cisco ASA 5506-X Complete Wan Failover Guide

The situation:
Company XYZ has decided to invest in a new internet connection, this connection should be used as a backup. The new WAN connection has been plugged into interface g0/8 of our 5506-X and we are ready to begin the configuration.

The solution from the CLI:


Go into the interface

Conf t
Int g0/8


Set the interface security to 0 or name it “outside-something” let’s do both

Security-level 0
Nameif outside-backup
Ip address


Create the IP SLA now then track the IP SLA with a track object

Sla monitor 1
Type echo protocol ipicmpecho interface outside
Num-packets 3
Frequency 3
Sla monitor schedule 1 life forever start-time now
Track 1 rtr reachability


Now let’s replace the original route

Route outside track 1
No route outside 1


Now let’s setup NAT for the backup ISP (note this is for the new code ASAs, also if you have a DMZ you should add the nat for that as well)

Nat (inside,outside-backup) after-auto source dynamic any interface


Now let’s configure the backup default route with a high AD

Route outside-backup 254


Test the IP SLA by turning off the interface and by leaving the interface up but making sure there is no way packets can get to When you disconnect or shut the interface you will find the line goes down which removes the route immediately. However in most situations you will find the link up but the ISP having issues. The SLA will take about 3-5 seconds to take effect.


Don’t forget to NAT your webserver as well to the NEW isp (example)

Object network WEBSERVER-PRIV
Nat (inside,outside-backup) static service tcp www www


Nat (inside,outside-backup) static interface service tcp www www



For our WAN ACLs we could use the same ACL from the outside interface, or create a new one. Here’s how to do both (I recommend use the exisiting)

Access-list NEW_WAN_IN extended permit tcp any host eq 80
Access-group NEW_WAN_IN in interface outside-backup


Access-group <OLD ACL NAME> in interface outside-backup


If our new link to the ISP was a /29 or bigger, we could 1:1 or NAT specific ports to hosts on the DMZ or LAN, and the ASA would proxy arp. If our link was a /30 and we were ROUTED a /29 or bigger then even if we were NATing our just Routing those IP s we do NOT need proxy arp on our outside interfaces.