Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
643
Views
3
Helpful
4
Replies

Multiple ISP LINK

wasiimcisco
Level 1
Level 1

‎02-09-2008 01:46 PM - edited ‎03-03-2019 08:38 PM

have two router with two different ISP links. They have both different global IP addresses.

Both connected with Layer 3 switch in different VLANs. my lan 172.28.92.x subnet translated by pix into x.x.x.38 and pix send it to layer 3 switch.

I have applied the Policy base routing on Layer 3 switch. Now when switch get the IP of x.x.x.38 subnet it send to ISP B router.

rest all traffic goes to ISP A.

But now problem is that this happens when traffic from subnet x.x.x.38 goes outside. It is still coming via ISP A router. Bcz x.x.x.38 subnet belongs

to ISP A global address pool.

Then I apply the nat on ISP B router and when B router gets traffic from source x.x.x.38, it nat it into x.219.212.211 which is the global IP address

assigned by the ISP B.

I can see the nat translation that x.x.x.38 is translating into x.x.219.212.211. and getting back from Internet and coverting back to x.x.x.38.

But when i applied a Access-list on ISP A router outside interface

access-list 101 deny ip any host x.x.x.38

access-list 101 permit ip any any

I all internet browsing stop working. Means still it is using the returing path via ISP A. Though I nat x.x.x.38 source into ISP B IP address x.219.212.211.

Why it is happening. Over the internet x.219.212.211 belong to ISP B. It should comes into my network via ISP B not ISP A.

Can anyone help me to sort out this problem. I will b very greatful to you.

I have also atatached the network diagram for your kind review.

Is there anyway to check which return path my outgoing traffic use on its arrival.

Labels:
Preview file
27 KB
0 Helpful
4 Replies 4

aijaz802
Level 1
Level 1

‎02-10-2008 01:23 AM

Hi,

I suggest the following steps to troubleshoot and to get more information.

1.Traceroute from any remote sites (ex: www.nwtools.com) to ISP A & B address pools and verify whether they r taking the correct path.

2. In the first place why dont you use the ISP B ip address for natting at pix instead of x.x.x.38 (which is ISP A IP). In this case u dont need to do multiple translations.

3. Check with ISPs A & B whats their routing information w.r.t your public ip segment which alloted to u by them.

4. Are u using static or dynamic routing protocols on ur routers?

Rate if it helps..

Regards

*aijaz*

wasiimcisco
Level 1
Level 1
In response to aijaz802

‎02-10-2008 12:23 PM

Thanks for the reply,

I did trace route for both ISP IP and they came out exact to their desired ISP.

But when I applied the deny Access-list for x.219.212.212 on my ISP A router. Everything stop working.

Remember x.219.212.212 which is used for NAT on ISP B router for IP x.x.x.38

Then I changed the configuration and only nat on the pix firewall for ISP B provided global address pool.

My test client goes out and even after applying the deny acl on ISP A router didnt get hitcount and nothing stop there.

Trace route came out via ISP B. What do u think did i achieve what i wanted to have.

I am not using any dynamic protocol. only static routes are avaialble and i dont wana use dynamic protocol.

Kindly guide me,

0 Helpful

aijaz802
Level 1
Level 1
In response to wasiimcisco

‎02-10-2008 10:55 PM

Hi Wasiim,

I think the problem is not as simple as I thought. Somewhere something is missing.

Would you post the pix nat configuration lines incl in/out interface IPs, and Routers configurations.

I hope that x.x.x.38 is not the pix outside interface IP?

Regards,

*aijaz*

0 Helpful

wasiimcisco
Level 1
Level 1
In response to aijaz802

‎02-11-2008 05:11 AM

Dear aijaz

Today I have changed the configuration. I just did the static on pix firewall for my test computer.

static (edn,outside) 193.x.x.220 172.28.92.72 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 41.x.x.34 1

firewall is connected with layer 3 switch on which I have applied the Route Map.

SWITCH CONFIGURATION

access-list 105 permit ip host 193.x.x.220 any

route-map PBR permit 10

match ip address 105

set ip next-hop 193.x.x.217

interface Vlan1

ip address 41.x.x.34 255.255.255.224

ip policy route-map PBR

interface Vlan333

ip address 193.x.x.218 255.255.255.248 (Connected with ISP B router inside interface)

ip classless

ip route 0.0.0.0 0.0.0.0 41.x.x.33(ISP A INTERNET ROUTER)

ip route 193.x.x.220 255.255.255.255 41.x.x.35( Pix outside towards VLAN 1)

ISP B Router Configuration:

ip route 0.0.0.0 0.0.0.0 193.x.x.209

GigabitEthernet0/0 193.x.x.210/29 Connected with Internet.

GigabitEthernet0/1 193.x.x.217/29 Connected with layer 3 switch.

ISP A Internet Router

BZV-TD-3825-01#sh access-lists 103

Extended IP access list 103

10 deny ip host 193.x.x.220 any (55 matches)

20 permit ip any any (172382 matches)

I have applied an access-list on inside Interface of ISP A router for my test natted IP address of 193.x.x.220.

I am able to browse the internet but still I am getting hit count on it. Means Layer III switch is still sending the traffic towards it, that is y I m getting hitcount on my access-list.

Why it is so, Why switch sending me there though policy is saying next hop is ISP B.

But trace route from ITTOOL web for 193.x.x.220 taking me back via ISP B. Which is correct.

Please help me out.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card