Cisco – Dual ASA5510 with dual ISP failover

Assuming a single context active/passive failover configuration with the ASAs connecting to the 2911s on unique subnets, you could trunk the links using two subinterfaces and vlan tagging. But the hack is to not have both subinterfaces active at the same time on a single ASA. On the ASA on the left assuming it's active, the first subint would be alive and the second down. After a failover event, the ASA on the right becomes active, and the first subint goes down and the second subint comes up.

Ideally, the ASAs share a common subnet with the LAN side of the 2911s precluding this hack; a L2 switch can sit between the ASAs and provide connectivity from any ASA to any 2911.

Only the relevant subinterfaces' config shown.

ASA

interface GigabitEthernet0/0
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/0.10
 vlan 10
 nameif Outside-ISP1
 security-level 0
 ip address 1.1.1.254 255.255.255.0
!
interface GigabitEthernet0/0.11
 vlan 11
 nameif Outside-ISP2
 security-level 0
 ip address 2.1.1.254 255.255.255.0

route Outside-ISP1 0.0.0.0 0.0.0.0 1.1.1.1 1
route Outside-ISP2 0.0.0.0 0.0.0.0 2.1.1.2 1

2911-ISP1

interface GigabitEthernet0/1
 description LAN
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.10
 description LAN-ISP1
 encapsulation dot1Q 10
 ip vrf forwarding vpn
 ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1.11
 description LAN-ISP2
 encapsulation dot1Q 11
 ip address 2.1.1.1 255.255.255.0
 shutdown

2911-ISP2

interface GigabitEthernet0/1
 description LAN
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.10
 description LAN-ISP1
 encapsulation dot1Q 10
 ip address 1.1.1.2 255.255.255.0
 shutdown
!
interface GigabitEthernet0/1.11
 description LAN-ISP2
 encapsulation dot1Q 11
 ip address 2.1.1.2 255.255.255.0