Overcoming inbound link resilience without dynamic routing

Unanswered Question
Jun 9th, 2009

Greetings, im sure this question has been approached several times before but it would be appreciated if i could get some opinions.

We have a customer with two DSL connections coming into two different routers, we want to replace these connections with a local Ethernet service, so far so good, however the customer wishes to keep the DSl connections and terminate them on the same router as the Ethernet service.

Now normally what i would try to do is find a provider who can supply both the DSL and Ethernet circuits and run BGP to both load balance and provide resilience for inbound and outbound connections.

Unfortunately we can't in this situation, as per the diagram i am thinking of using the Ethernet service as the primary link, the address block attached to this circuit would be used on the outside of the ASA which would also NAT all outbound traffic to it's global address of, the router would be configured with a default route going to the Ethernet circuit, the DSL circuits would have higher metrics, i would also configure PAT for each DSL interface on the router which would mean that traffic is NATed both on the ASA and on the router in the event the Ethernet service fails.

What i hope to achieve is that outbound connections still work in the event of the ethernet service failing however i realise that inbound connections and outbound IPSEC connections are still going to fail if i NAT traffic twice.

Id be very happy to listen to any advice of how to overcome this without using dynamic routing if it is at all possible.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Tue, 06/09/2009 - 03:43

Hello Mark,

reliable static routing can help in dealing with redundancy without using dynamic routing protocols.



the idea is to have a probe or IP SLA that performs a L3 test (example a ping) on a target.

Until the test results are fine the primary static route is used.

When the test fails the primary static route that uses track as an option is removed from IP routing table.

Hope to help



This Discussion