static route to 2 ISPs

Unanswered Question

Hello

I have a customer needs continues  internet connection just for browsing issue coz its important to him(in the past his ISP goes down for 6 hours,so it was panic to him that moment coz he lost a lot of money in the stock exchange), along with excahnge server in the DMZ ,currently he has 1 link to ISP via fiber connection(6 Mbps) and now he needs another ISPs backup using  DSL line,his cuurent router its 1841,question is?

1)should i use another 1841 and peer with the 2nd via static route?if so how the solution could be done?

2)how to make half route goes from ISP1 and the onther half goes with ISP2,but plz bear in mind that when ISP1 goes down the full route will go via ISP2 and vise versa

thanks a lot

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (8 ratings)
Loading.
Jon Marshall Tue, 12/29/2009 - 08:42

[email protected]

Hello

I have a customer needs continues  internet connection just for browsing issue coz its important to him(in the past his ISP goes down for 6 hours,so it was panic to him that moment coz he lost a lot of money in the stock exchange), along with excahnge server in the DMZ ,currently he has 1 link to ISP via fiber connection(6 Mbps) and now he needs another ISPs backup using  DSL line,his cuurent router its 1841,question is?

1)should i use another 1841 and peer with the 2nd via static route?if so how the solution could be done?

2)how to make half route goes from ISP1 and the onther half goes with ISP2,but plz bear in mind that when ISP1 goes down the full route will go via ISP2 and vise versa

thanks a lot

Ali

There is not enough info re. routing protocols etc. to give a definitive answer but i would say the simplest thing to do is run HSRP on the inside LAN interfaces of the 1841 routers and have the active interface on the 1841 that uses the 6Mbps connection.

On both routers have a default-route pointing the ISP next-hop and then use HSRP track for the availability of the next-hop. If the next-hop goes down

then decrement the HSRP priority on the active 1841 and it will fail over to the standby 1841.

Jon

Hi

the proposal design as the attachment,no routing protocol just static route from the edge to each different ISPs(different address block)

1)could u plz describe the design and the config on each part of this diagram,i.e edge routers .ASA?just key point to start

3)why HSRP not GLBP

4)do i need a load sharing for this 2 ISPs(half route from the first ISP and the other half for the 2nd ISP,but if one ISP goes route then i will get all route from ISP2,is it possible?

plz advise on all point

6 mb from ISP1 and dsl 1024 from ISP2

Thanks

Attachment: 
Jon Marshall Tue, 12/29/2009 - 10:30

[email protected]

Hi

the proposal design as the attachment,no routing protocol just static route from the edge to each different ISPs(different address block)

1)could u plz describe the design and the config on each part of this diagram,i.e edge routers .ASA?just key point to start

3)why HSRP not GLBP

4)do i need a load sharing for this 2 ISPs(half route from the first ISP and the other half for the 2nd ISP,but if one ISP goes route then i will get all route from ISP2,is it possible?

plz advise on all point

6 mb from ISP1 and dsl 1024 from ISP2

Thanks

Ali

What addressing do you have from the ISPs ?  This is a critical bit of information.

If one of the links is 6Mb and the other 1Mb then you don't want to split the traffic 50/50 across the links. It would better to use the 6Mb as active and the 1Mb as standby.

You could run your ASA firewalls in active/standby mode in which case GLBP gives you nothing you only have one "client" ie. the active ASA.

Because you have different address blocks you will have to do the NAT on the 1841 routers.

So key points -

1) ASA devices in active/standby

2) subnet used between the ASA outside interfaces and the 1841 internal LAN interfaces is a private subnet.

3) Configure the internal LAN interfaces to use HSRP and HSRP track the next-hop

4) make the 1841 with the 6Mb connection the HSRP active ie. give it a higher priority

5) Make sure you configure both 1841 HSRP to preempt and make sure that that if you decrement on the active router because the link to ISP1 has gone down it decrements enough so that the 1841 becomes active

6) NAT to be configured on both 1841 routers together with a default-route on each. Note the next-hop for the default-route will be ISP1 for router1 and ISP2 for router2

Depending on the interface types that connect the 1841s to the ISPs HSRP track might not be enough and you may need IP SLA tracking. Do you know what the interfaces are ?

Final point - this will only work for outbound traffic.

Edit - ** If there is a server on a DMZ that needs presenting to the internet then this becomes more complex because you don't have provider independant addressing.

Just noticed from original post that you have exchange server on DMZ. You have a problem because you have to choose which ISPs address to allocate to the exchange server. If that ISPs link goes down then inbound traffic to the e-mail server will not work any more. The problem is that there will be Internet DNS records using that public IP so even if you manually changed gthe exchange server to the other ISPs address the internet DNS servers would still point to the old address. This is why provider independant addressing is so useful.

One solution might be to outsource the mail server functionality to a 3rd party. Another would be to get provider independant addressing but you can't really justify it with the amount of addresses you need.

I remember we talked about this previously and Giuseppe posted a link to a multi-homing scenario - i'll see if i can find it and have a read.

Jon

Hello Jon

Thanks so much to ur reply

questions

1)in this situation why the ASA should be one active/standby? not active/active?

2)what about if managers connected from outside to inside using IPSec vpn to access file server?what real IP should i put on the asa  for outside vpn connection?

regarding that link posted from Giuseppe ,it was a wonderfull with BGP Peering

3)why you choose to do nat on the router no the asa?is it recomended on the asa?

4)could you pls post me a simple nat config

5)on www.cisco.com/go/srnd can i find a similar scenario?if so plz check for me and submit any powerfull link y find it suitable

6)What do mean in this :One solution might be to outsource the mail server functionality to a 3rd party?

Jon,thanks a lot and Appreciate

Message was edited by: [email protected]

Marwan ALshawi Wed, 12/30/2009 - 06:23

i wil try to help as well and jump in the interesting discussion

the answers to your questions:

1. Active/active used with multiple instance of ASA

2. you can do static nating from outside ( router outside IP  ) to  inside -- IP address in the ASA ( ASA out side IP address ) or static PAT only for VPNports

3. you cant do nat in the ASA becuasyou need another public IP subnet and more IPs as well

however you can do NAting in the ASA using your private IP addressing in the case you will have double nating

lan -- ASA nating---Router--nating--Internet ---

or you can use the following command to allow outbound sessions to NOT to be nated only outbound:

nat (inside) 0 192.168.1.0 255.255.255.0

where 192.168.1.0 is you LAN behind ASA

- also you will require another nat 0 for VPN returning traffic

lets say your vpn pool address assigned to the remote vpn users is 20.1.1.0

and you need this range to have communications with LAN 192.1681.0

access-list 101 permit ip 192.168.1.0 0.0.0.255 20.1.1.0 0.0.0.255

nat ( inside ) 0 access-list 101    --- to make sure the traffic get encrypted over the VPN tunnel before nating takes palace the will breake the communications with vpn users

4. lan 10.1.1.0/24 ( between the router and the ASA )

public: 200.1.1.1 on you fa0/0 outside to Internet

access-list 100 permit ip 10.1.1.0 0.0.0.255 any

ip nat inside source list 100 int fa0/0 overload

int fa0/0  outside interface

ip nat outside

int fax/x inside interface

ip nat inside

for vpn static nating:

ASA 10.1.1.10 outside  IP

outside interface fa0/0

ip nat inside source list 100 interface fa0/0 overload
ip nat inside source static esp 10.1.1.10 interface fa0/0
ip nat inside source static udp 10.1.1.10 500 interface fa0/0 500

Jon if i mentioned something not meant by your design please correct me

also check this document, although its discussing differnt logic but will help you to understand nating better:

https://supportforums.cisco.com/docs/DOC-8313

good luck

if helpful Rate

Marwan ALshawi Wed, 12/30/2009 - 22:09

i know and yours more simple

yo only need the t config i posted above

thank you

Marwan

Marwan ALshawi Thu, 12/31/2009 - 00:28

Dear the config i put above more than enough for your nating config

you can apply it to both of you routers only change the used IPs and interface numbers

also if you want to configure nating for inbound VPN i did put static PAT config example for only VPN IPsec ports required,  also change the internal ip address of that static nat to the ASA outside IP

try it and if you have any issue post it here

good luck

if helpful Rate

hello!

Questions

1)what about the exchange server?needs also a static nat from the router pointed to its IP?

2)Also i have two 3750 acting as CORE.so do i need to configure it for  HSRP or GLBP,also bear in mind that my asa's are active/standby

3)for vpn user the ip should be pointed is the outside ip address,right?

4)the interfaces peer with the 2 isp has to be real ip address?

any advise here

Thanks

Marwan ALshawi Thu, 12/31/2009 - 04:15

1. if you need access from Internet to the exchange server then yes you need either additional real IP from the ISP especially if its required for DNS in the Internet

if not, i mean only limited access required to the exchanged such as outlook web access you may use the IP you have from your ISP

with static pat like the vpn config above

for example to nat http and https traffic coming to the outside IP of the router

ip nat inside source static tcp x.x.x.x 80 interface fa0/0 80

ip nat inside source static tcp x.x.x.x 443 interface fa0/0 443

where x.x.x.x the exchange server IP and fa0/0 your external interface to the ISP you may use dialer interface if you have pppoe setup in your router

Note: do not nat the IP of the exchange server in the ASA to make it reachable by the router through its real configured ip in the LAN

use nat 0 logic mentioned above to exclude your LAN or only exchange server from being nated

2. if you talking about the switches in the LAN behind the ASAs then i think HSRP will be better as your ASAs in active standby thats mean you have one active at a time

also configure the Internet routers with HSRP as Jon mentioned you have one link with 6 M and the other with 1 better to have the one with 6 as the active

however you might configure GLBP to use wighted loadbalncing with a wighted loadbalncing of 6:1

it means 6 sessions will go through the router with 6 M and 1 seesion through the other one

But because you have inbound traffic not only outbound this might lead to asymmetrical routing which is better to stay away from it

go with HSRP

3.based on the example we discussed here and above yes the outside IP of the router and in the router you will nated to the outside ip of the ASA

4. yes

good luck

and thanks for the rating

Marwan ALshawi Thu, 12/31/2009 - 05:20

nating do it only in the Internet router as i mentioned above to avoid complexity of having two nating

for packet filtering ( security ) allow only required ports from outside to the server in the DMZ and block other ports

good luck

Marwan ALshawi Thu, 12/31/2009 - 06:32

i am assuming the VPN terminate on the ASA

as i am not aware if you have public IPs or only the IP assigned to your internet router!

if you are going to use the internet router outside ip for VPN use the static nat (pat ) above and usethe router interface IP (outside) for VPN

if you want to use a seperate IP ( given to you by your ISP ) just make simple static nat as above but instead of usinginterface keyword in the command use the public IP:

ip nat inside static x.x.x.x y.y.y.y

x.x.x.x outsid eIP of AA

y.y.y.y public IP given to you by your ISP

fr redundeancy as i told you above you ca use the IP address of the second router (ISP) as a second option in the vpn client incase the first router or ISP gose donw you will have a backup link

nating config same concept exactly

good luck

Marwan ALshawi Mon, 01/04/2010 - 22:28

i am glad its working and also thanks for your rating as well

please mark this discussion as resolved to let other people know this is resolved when they do search here ( just trying to help )

Actions

This Discussion