inbound and outbound traffic loadbalaning and redundency beween two isp's

Unanswered Question
Dec 17th, 2007

I have two links with different ISP's and both the links (512Kbps)are terminated on seprate seprate cisco routers(2811).Currently we are useing one link and another one link is new.I want to loadsharing and redundency between them.Right now i am not using BGP (routers are configured in simple manner).Here is a my client cost matter,so i want .My presant network seneriois like this:-

Internet Ri(Isp1)-- Layer 3 switch (working here like as a simple switch)---firewall 1 (cisco ASA5510)--firewall 2(ciscoASA5510)---Lan.

on firewall-1 remote and site to site vpn configuered, one dmz.

my lan is in 172.16.1.xx series,dmz in, and after is using for desktop ,192.168.x.x is managment ip.

Right now i have one another internet link(512kbps) from different ISP.

So please advise me how can i do that (loadbalancing with redundeny). once i was trying oer but not successfull due to IOs image (c2800nm-ipbasek9-mz.124-11.T.bin)and

ISP's can be possible through natting,and ACL. or ple give me any idea with OER or any solution.If possible ple send me also sample configuration.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Paolo Bevilacqua Tue, 12/25/2007 - 07:56


For this, you must use NAT to both providers.

There is no other alternative.

To begin wit, configure two static routes on the router that receives traffic. Both routers will have NAT.

Once you got that working, you can add the statements for a faster redundancy (oer), but that is secondary.

sujitkr7cisco Wed, 12/26/2007 - 10:21


but here firewall 1 is gatway for all inside network and this is public IP.If you want sh run or else , its my pleasure and plese help me to solve this issue and if any document you have please provide me .

Thanks and regards,


Paolo Bevilacqua Wed, 12/26/2007 - 10:31


I'm not sure if the ASA can do load balancing, perhaps in version 8, you can ask this in the "security" forum.

The alternative is that you do NAT in both routers, and that would do what you want.

sujitkr7cisco Wed, 12/26/2007 - 11:14


Great ,i want to go with you,

this is my router old router (which right now working)config which is very simple and another is just like only its ip are changed.


interface FastEthernet0/0

ip address 59.160.x.x

ip accounting output-packets

ip virtual-reassembly

duplex auto

speed auto


interface FastEthernet0/1

ip address 192.168.x.x

duplex auto

speed auto


interface Serial0/0/0

ip address 59.160.x.x

--More-- ip accounting output-packets

ip virtual-reassembly


ip route Serial0/0/0

ip route 59.160.x.x

and this is my router :-(both are same)

21009780 Apr 13 2007 04:05:02 +00:00 c2800nm-ipbasek9-mz.124-11.T.bin

3 1823 Apr 13 2007 04:13:28 +00:00 sdmconfig-2811.cfg

4 4734464 Apr 13 2007 04:13:56 +00:00 sdm.tar

5 833024 Apr 13 2007 04:14:12 +00:00 es.tar

6 1052160 Apr 13 2007 04:14:30 +00:00 common.tar

7 1038 Apr 13 2007 04:14:42 +00:00 home.shtml

8 102400 Apr 13 2007 04:14:54 +00:00 home.tar

9 491213 Apr 13 2007 04:15:12 +00:00 128MB.sdf

10 1684577 Apr 13 2007 04:15:34 +00:00 securedesktop-ios-

11 398305 Apr 13 2007 04:15:52 +00:00 sslclient-win-

33689600 bytes available (30326784 bytes used)

if you want fire wall config ple tell me .

i am waitng your reply .

thanks with regards,


Paolo Bevilacqua Wed, 12/26/2007 - 11:20

Hi, as mentioned before, the only way to load-balance without BGP is using NAT, but you do no NAT on this router.

So either you move the NAT function from the ASA to router, or configure the ASA for load balancing (not 100% sure it is possible).

sujitkr7cisco Wed, 12/26/2007 - 11:51


if i am useing on both router BGP , both the ISP's are provide me his private AS numbers they are not provide me public AS no.

if u help me i will do this through change the firewall 1 ip is in private and then may be we able to creat vlan in a switch.

problem is this is live setup.

Please help me to achive this goal , i will give you all info which is required

Thanks and regards,


Paolo Bevilacqua Wed, 12/26/2007 - 12:55


The matter with BGP is not the As only, but the address space that must be routed by both of them. Ask then if they are willing to both announce some address space given to you.

The alternative is to do NAT on the router, but of course that doesn't give redundancy to servers accessed from outside.

If you don't think you can do that, you can hire someone reputable.


This Discussion