Internet Backup

Unanswered Question
Jul 18th, 2007

I have a scenario where there are users on two sites with thier own internet connectivity. Recently one of the ISPs had a significant outage, and therefore the users lost access.

Is there anyway to detect such an outage, and re-route traffic through a WAN link to make use of the alternative internet connection on another site?

The two internet connections are via different service providers, and have PA addressess, I am not and can not run BGP. There are no incomming services with these links, they are purely used for user access to the internet.

I have attached a simplified diagram, which may assist the explanation.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
mark.j.hodge Wed, 07/18/2007 - 04:45

From what I can find on the web, I don't think OER is supported on Cisco PIX firewalls.

Thanx anyway..

spremkumar Wed, 07/18/2007 - 04:26


I feel you can run routing protocol between the locations which can redistribute the default route to the neighbor which can be considered as a secondary route when compared to static pointing via the respective ISP.

Also once the ISP goes off you have the valid secondary route learned via the other location which can be used to go out and reach the external world.

But this is effective when you can do some kinda Natting on both the routers so that you can make use of your local ip pools which will be convinient while having internal routing protocol between ur locations..


mark.j.hodge Wed, 07/18/2007 - 04:53

Yes, Cisco PIX devices, the provided link looks good, but the example has two internet links to the same firewall/site. I'll read around the subject to see if there is a way to do what I want.

mark.j.hodge Wed, 07/18/2007 - 05:13

The site link is a 100 Mbps Ethernet. At the moment inter site routing is actualy performed by the firewall. I am intending to change that to either a Layer3 switch, or a router, depending upon requirements for the soultion.

acomiskey Wed, 07/18/2007 - 05:16

So both wan links are connected to the firewall right? Meaning you could route to the site to site router using the Dual isp feature of the pix.

mark.j.hodge Wed, 07/18/2007 - 05:01

I understand would need to implement some form of dynamic routing. The issue as I see it is to inform the router when the link goes down, as the firewall itself has not failed.

As for the natting, that shouldn't be an issue, I would just NAT all inside addresses to the outside interface of the firewall.

acomiskey Wed, 07/18/2007 - 05:11

"I understand would need to implement some form of dynamic routing."

-Dynamic routing is not needed in the link I posted.

"The issue as I see it is to inform the router when the link goes down, as the firewall itself has not failed."

-The ip sla process will ping a specified host, when the ping fails the track will go down. This is how the router is notified.

mark.j.hodge Wed, 07/18/2007 - 05:57

Sorry, I got mixed up with replies.

The diagram I posted is simplified, as there are a number of VLANs on each site, currently routed through the firewall. This is causing a number of management issues, therefore moving the routing onto a Layer 3 switch or similar is in plan.

The Object Tracking solution looks promising, do you know if it is supported on 3560/3750 devices?

acomiskey Wed, 07/18/2007 - 06:00

3560 I know for sure it is not, as I also wanted to run it on there. Object tracking is supported on Cisco 3750 starting with 12.2SE. Why not just put the site to site router off of the pix?


This Discussion