09-16-2009 02:38 AM - edited 03-04-2019 06:04 AM
Hi guys I have a client who is applying for 2 internet leased line circuits from 2 different ISP's.
I have 2 - cisco 2800 router for the internet connectivity.
I have a L3 switch in the internal zones of the routers.
Both the ISP's have given /30 public network for the wan. I dont have any doubt on that.
But both the ISP's are giving different /28 networks for the internal usage. (for eg to host some servers)
I have 2 - ASA 5510 behind the routers which are going to use public ip addresses given by the ISP's.
The customer wants to use only 1 ISP at a time and if that ISP goes down I should be using the other ISP.
But my doubt is both the pulic ip addresses given by the ISP are of different network subnets and it wont be possible to manually change the IP ADDRESSES ON THE ASA 5510.
Please help me with some solution.
Thanks & Regards,
Jvalin
09-16-2009 02:57 AM
See:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml
Note this requires you do NAT on the router, not on the ASA, and you use 1 router, not 2.
09-16-2009 03:03 AM
well thanks for the message but this is not what I meant.
I have static ip addresses on both the routers and public ip address range is different from both the ISP's.
09-16-2009 03:08 AM
That is exactly what the document takes into consideration.
09-16-2009 03:05 AM
Jvalin
In addition to Paolo's post, it depends on whether or not you need to present internal servers to the Internet so that internet clients can access them eg. a web server/mail server.
If this is the case then you have a problem with your setup because what DNS entry would you use for your web server ie. you choose one of the ISP's public address to represent the web server. If that ISP link goes down it's not just the static NAT on the ASA that needs updating, it is also the public DNS with the new public address.
If you do need to present internal servers then you are going to need a provider independant public address space that both ISP's will advertise out.
Jon
09-16-2009 03:10 AM
If you do need to present internal servers then you are going to need a provider independant public address space that both ISP's will advertise out.
Or get a regular hosting solution, easier to setup and manage. Really, BGP is not for everybody.
09-16-2009 03:31 AM
guys,
what will be my default gateway on the ASA??
how will i do the HSRP on the routers??
09-16-2009 04:18 AM
I suggest you do this with one router only. That is pretty much the only way you balance outgoing connections and keep things reasonably simple
If you want to use to, then yes you can use HSRP, but all the traffic will use a single ISP.
Or you can forget about the routers and just use the ASA:
09-16-2009 04:24 AM
so according to u and marshall. this is not possible rite from the view point of ISP??
if they are giving provider independent address space then only it is possible i guess. but do we get these type of address space from the provider thats the biggest question here.
09-16-2009 04:39 AM
What exactly you understood to be "not possible" ? Clearly reaching internal server with a single Ip address resistent to failure it's impossible.
You need AS numbers and PI space for BGP, these things are obtained through ISP but are expensive. Most customers renounce immediately.
09-16-2009 04:34 AM
so according to u and marshall. this is not possible rite from the view point of ISP??
if they are giving provider independent address space then only it is possible i guess. but do we get these type of address space from the provider thats the biggest question here.
09-16-2009 04:52 AM
yes paolo, I clearly understood the servers hosting thing, thats is impossible.
but lets assume that I dont have any internal web-servers.
simple users want to have internet access through the firewall
if one isp fails other will be utilized.
lets forget the provider independent address space also here.
u said I can do HSRP. but how??both the isp's are giving different IP addresses I have to use them on the routers internal interfaces and asa's outside interfaces also.
how m i going to configure HSRP with this scenario??
i have to manually change the IP's of all the interfaces if one ISP goes down???plz correct me if m wrong.
09-16-2009 04:55 AM
With no servers there isn't much of a problem.
As mentioned above either configure ASA for NAT for backup links, or with HSRP you track an object off the primary ISP/router, when it fails the other router will take over.
When configured correctly no manual intervention is necessary.
09-16-2009 05:02 AM
paolo, I understood the whole idea of yours but y r u suggesting me to use HSRP.
if ISP 1 gives 200.200.200.0/28
and ISP 2 gives me 100.100.100.0/28
then I can utilize only one network out of these two for the HSRP??? am I rite???
09-16-2009 05:06 AM
paolo, I understood the whole idea of yours but y r u suggesting me to use HSRP.
if ISP 1 gives 200.200.200.0/28
and ISP 2 gives me 100.100.100.0/28
then I can utilize only one network out of these two for the HSRP??? am I rite???
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide