Inbound connections with dual ISP's

Answered Question
Feb 14th, 2008
User Badges:

Any idea's...

I've read the doc about dual ISP connections (outbound): http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml


Take from the above document "As described in this document, this setup may not be suitable for inbound access to resources behind the security appliance. Advanced networking skills are required to achieve seamless inbound connections. These skills are not covered in this document."


So the question is: Where is the documentation for inbound connections?


..but for the meantime without the doc, I'm thinking this could be done with a second NAT statement, additional ACL and an additional IP address on the server in question.


Something like:


interface Ethernet0

nameif outside

security-level 0

ip address *1st ISP Public IP*


interface Ethernet1

nameif backup

security-level 0

ip address *2nd ISP Public IP*


global (outside) 1 interface

global (backup) 1 interface


route outside 0.0.0.0 0.0.0.0 *1st ISP Gateway* 1 track 1

route backup 0.0.0.0 0.0.0.0 *2nd ISP Gateway* 254


sla monitor 151

type echo protocol ipIcmpEcho *object to ping* interface outside

num-packets 3

frequency 10

sla monitor schedule 151 life forever start-time now

track 1 rtr 151 reachability


static (inside,outside) *1st ISP Public IP* 192.168.1.1 netmask 255.255.255.255

static (inside,outside) *2nd ISP Public IP* 192.168.1.2 netmask 255.255.255.255


access-list inbound line 1 extended permit tcp any host *1st ISP Public IP* eq *port*

access-list inbound line 2 extended permit tcp any host *2nd ISP Public IP* eq *port*


Any thoughts?


Thanks

--Mark

Correct Answer by acomiskey about 9 years 5 months ago

Looks like that should work...a few mistakes though...


static (inside,backup) *2nd ISP Public IP* 192.168.1.2 netmask 255.255.255.255


access-list inbound_backup extended permit tcp any host *2nd ISP Public IP* eq *port*

access-group inbound_backup in interface backup

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Correct Answer
acomiskey Thu, 02/14/2008 - 12:33
User Badges:
  • Green, 3000 points or more

Looks like that should work...a few mistakes though...


static (inside,backup) *2nd ISP Public IP* 192.168.1.2 netmask 255.255.255.255


access-list inbound_backup extended permit tcp any host *2nd ISP Public IP* eq *port*

access-group inbound_backup in interface backup

mark.johnson@te... Thu, 02/14/2008 - 12:40
User Badges:

Great! thanks for the confirmation and pointing out my errors :o)

Will try this out at the weekend


oh and before anyone mentions access-groups:

access-group inbound in interface outside

access-group inbound_backup in interface backup


;o)

acomiskey Thu, 02/14/2008 - 12:41
User Badges:
  • Green, 3000 points or more

Good luck, be sure to let us know if it works out.

acomiskey Thu, 02/14/2008 - 20:00
User Badges:
  • Green, 3000 points or more

Who rated that a 1 and why? Care to explain?

mark.johnson@te... Thu, 02/14/2008 - 21:44
User Badges:

Anyone!!

Since I rated and ticked resolved my issue after acomiskey 1st answer, I think it's unfair for someone to devalue my points!


Actions

This Discussion