Two ISPs to Cisco 2621 with backend f/w

Unanswered Question
Dec 2nd, 2008

Greetings all. I had a question on a design and would appreciate some thoughts. The customer has a Cisco 2621 with one ISP link via frame relay. Behind this is an existing firewall (not Cisco) that has an address on the ISP1 segment. The customer is getting a second ISP connection to the 2621 with an Ethernet handoff. So the config will look like:

ISP2 (Eth)-> 2621 <-(F/R) ISP1

|

F/W (ISP1 addr)

|

users

I'd like to setup the 2621 for failover - probably using object tagging - so that ISP2 takes over when ISP1 goes down. However, I'm thinking I'd need to NAT everything going to ISP2 so that the return traffic actually makes it back otherwise traffic sent using the existing ISP1 address of the firewall will not return, correct?

Does this sound plausible?

The other option would be to connect ISP2 straight to the firewall but I'm not sure they can spare their DMZ interface for this purpose.

Thanks in advance for an comments.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Harold Ritter Tue, 12/02/2008 - 14:56

Gregg,

You are correct in saying that using ISP1 address while sending ISP2 as a backup will not work. NATing using ISP1 or ISP2 address sounds like a reasonable way to address this issue.

Regards

hambyg Tue, 12/02/2008 - 17:52

Thanks for the reply. I'm hoping this will work so we don't have to do major reconfigurations on the firewall or change addresses.

Just out of curiosity, have you seen any documents/examples that speak to the SMB case of a single router or firewall with two ISPs? I've seen docs covering the ASA/PIX but they are failover only - no load balancing. I also found a Small Branch note on two IPSec tunnels via two broadband connections and they note that a split tunnel will require PNat but that config involves four Cisco devices, EIGRP, etc, etc.

I can't believe that this is not a very common scenario these days - small customer with two inexpensive ISP links who wants to get the most out of both?

Thanks again.

hambyg Wed, 12/03/2008 - 14:28

Hello again. I'm still working on this config and at the moment am wondering how to get all my inside IP addresses xlated to the secondary ISPs address? I had assumed an "ip nat inside" command on the ethernet port connecting to the second ISP would do the trick but it doesn't seem to be working.

On the router, the interface connecting to my 2nd ISP has the ip nat inside command.

I then added the ip nat inside source static interface fastethernet 0/1 command and can see that I get a translation for my laptop's inside address to the outside IP of my 2nd ISP. Is that all I need for this to work? I see nothing on the Outside local <-> Outside Global side as I thought I didn't need outside NAT in this case?

Thoughts anyone?

Thanks for your help.

Actions

This Discussion