12-29-2009 08:23 AM - edited 03-04-2019 07:04 AM
Hello
I have a customer needs continues internet connection just for browsing issue coz its important to him(in the past his ISP goes down for 6 hours,so it was panic to him that moment coz he lost a lot of money in the stock exchange), along with excahnge server in the DMZ ,currently he has 1 link to ISP via fiber connection(6 Mbps) and now he needs another ISPs backup using DSL line,his cuurent router its 1841,question is?
1)should i use another 1841 and peer with the 2nd via static route?if so how the solution could be done?
2)how to make half route goes from ISP1 and the onther half goes with ISP2,but plz bear in mind that when ISP1 goes down the full route will go via ISP2 and vise versa
thanks a lot
12-29-2009 08:42 AM
Hello
I have a customer needs continues internet connection just for browsing issue coz its important to him(in the past his ISP goes down for 6 hours,so it was panic to him that moment coz he lost a lot of money in the stock exchange), along with excahnge server in the DMZ ,currently he has 1 link to ISP via fiber connection(6 Mbps) and now he needs another ISPs backup using DSL line,his cuurent router its 1841,question is?
1)should i use another 1841 and peer with the 2nd via static route?if so how the solution could be done?
2)how to make half route goes from ISP1 and the onther half goes with ISP2,but plz bear in mind that when ISP1 goes down the full route will go via ISP2 and vise versa
thanks a lot
Ali
There is not enough info re. routing protocols etc. to give a definitive answer but i would say the simplest thing to do is run HSRP on the inside LAN interfaces of the 1841 routers and have the active interface on the 1841 that uses the 6Mbps connection.
On both routers have a default-route pointing the ISP next-hop and then use HSRP track for the availability of the next-hop. If the next-hop goes down
then decrement the HSRP priority on the active 1841 and it will fail over to the standby 1841.
Jon
12-29-2009 09:10 AM
Hi
the proposal design as the attachment,no routing protocol just static route from the edge to each different ISPs(different address block)
1)could u plz describe the design and the config on each part of this diagram,i.e edge routers .ASA?just key point to start
3)why HSRP not GLBP
4)do i need a load sharing for this 2 ISPs(half route from the first ISP and the other half for the 2nd ISP,but if one ISP goes route then i will get all route from ISP2,is it possible?
plz advise on all point
6 mb from ISP1 and dsl 1024 from ISP2
Thanks
12-29-2009 10:30 AM
Hi
the proposal design as the attachment,no routing protocol just static route from the edge to each different ISPs(different address block)
1)could u plz describe the design and the config on each part of this diagram,i.e edge routers .ASA?just key point to start
3)why HSRP not GLBP
4)do i need a load sharing for this 2 ISPs(half route from the first ISP and the other half for the 2nd ISP,but if one ISP goes route then i will get all route from ISP2,is it possible?
plz advise on all point
6 mb from ISP1 and dsl 1024 from ISP2
Thanks
Ali
What addressing do you have from the ISPs ? This is a critical bit of information.
If one of the links is 6Mb and the other 1Mb then you don't want to split the traffic 50/50 across the links. It would better to use the 6Mb as active and the 1Mb as standby.
You could run your ASA firewalls in active/standby mode in which case GLBP gives you nothing you only have one "client" ie. the active ASA.
Because you have different address blocks you will have to do the NAT on the 1841 routers.
So key points -
1) ASA devices in active/standby
2) subnet used between the ASA outside interfaces and the 1841 internal LAN interfaces is a private subnet.
3) Configure the internal LAN interfaces to use HSRP and HSRP track the next-hop
4) make the 1841 with the 6Mb connection the HSRP active ie. give it a higher priority
5) Make sure you configure both 1841 HSRP to preempt and make sure that that if you decrement on the active router because the link to ISP1 has gone down it decrements enough so that the 1841 becomes active
6) NAT to be configured on both 1841 routers together with a default-route on each. Note the next-hop for the default-route will be ISP1 for router1 and ISP2 for router2
Depending on the interface types that connect the 1841s to the ISPs HSRP track might not be enough and you may need IP SLA tracking. Do you know what the interfaces are ?
Final point - this will only work for outbound traffic.
Edit - ** If there is a server on a DMZ that needs presenting to the internet then this becomes more complex because you don't have provider independant addressing.
Just noticed from original post that you have exchange server on DMZ. You have a problem because you have to choose which ISPs address to allocate to the exchange server. If that ISPs link goes down then inbound traffic to the e-mail server will not work any more. The problem is that there will be Internet DNS records using that public IP so even if you manually changed gthe exchange server to the other ISPs address the internet DNS servers would still point to the old address. This is why provider independant addressing is so useful.
One solution might be to outsource the mail server functionality to a 3rd party. Another would be to get provider independant addressing but you can't really justify it with the amount of addresses you need.
I remember we talked about this previously and Giuseppe posted a link to a multi-homing scenario - i'll see if i can find it and have a read.
Jon
12-30-2009 04:59 AM
Hello Jon
Thanks so much to ur reply
questions
1)in this situation why the ASA should be one active/standby? not active/active?
2)what about if managers connected from outside to inside using IPSec vpn to access file server?what real IP should i put on the asa for outside vpn connection?
regarding that link posted from Giuseppe ,it was a wonderfull with BGP Peering
3)why you choose to do nat on the router no the asa?is it recomended on the asa?
4)could you pls post me a simple nat config
5)on www.cisco.com/go/srnd can i find a similar scenario?if so plz check for me and submit any powerfull link y find it suitable
6)What do mean in this :One solution might be to outsource the mail server functionality to a 3rd party?
Jon,thanks a lot and Appreciate
Message was edited by: alsayed@litani.gov.lb
12-30-2009 06:23 AM
i wil try to help as well and jump in the interesting discussion
the answers to your questions:
1. Active/active used with multiple instance of ASA
2. you can do static nating from outside ( router outside IP ) to inside -- IP address in the ASA ( ASA out side IP address ) or static PAT only for VPNports
3. you cant do nat in the ASA becuasyou need another public IP subnet and more IPs as well
however you can do NAting in the ASA using your private IP addressing in the case you will have double nating
lan -- ASA nating---Router--nating--Internet ---
or you can use the following command to allow outbound sessions to NOT to be nated only outbound:
nat (inside) 0 192.168.1.0 255.255.255.0
where 192.168.1.0 is you LAN behind ASA
- also you will require another nat 0 for VPN returning traffic
lets say your vpn pool address assigned to the remote vpn users is 20.1.1.0
and you need this range to have communications with LAN 192.1681.0
access-list 101 permit ip 192.168.1.0 0.0.0.255 20.1.1.0 0.0.0.255
nat ( inside ) 0 access-list 101 --- to make sure the traffic get encrypted over the VPN tunnel before nating takes palace the will breake the communications with vpn users
4. lan 10.1.1.0/24 ( between the router and the ASA )
public: 200.1.1.1 on you fa0/0 outside to Internet
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
ip nat inside source list 100 int fa0/0 overload
int fa0/0 outside interface
ip nat outside
int fax/x inside interface
ip nat inside
for vpn static nating:
ASA 10.1.1.10 outside IP
outside interface fa0/0
ip nat inside source list 100 interface fa0/0 overload
ip nat inside source static esp 10.1.1.10 interface fa0/0
ip nat inside source static udp 10.1.1.10 500 interface fa0/0 500
Jon if i mentioned something not meant by your design please correct me
also check this document, although its discussing differnt logic but will help you to understand nating better:
https://supportforums.cisco.com/docs/DOC-8313
good luck
if helpful Rate
12-30-2009 09:38 PM
Thanks mohamad , Thanks for your link,but in my situation i have 2 routers for different ISPs also different IPs block
12-30-2009 10:09 PM
i know and yours more simple
yo only need the t config i posted above
thank you
Marwan
12-30-2009 10:35 PM
Hello marwan!
should i have the ASAs acts as Active/active or active/standby? if active active/standby so how the continious internet go out if the primary ISP goes down?
related to ur config:I have 2 asa and 2 routers connected to 2 ISPs with different address Blocks,pls see the attached diagram
Thanks
12-30-2009 11:35 PM
Hello Marwan!
could you please apply ur configuration according the diagrams! its attached along this threats
Thanks and Appreciate
12-30-2009 11:25 PM
Hello Jon!
Final point - this will only work for outbound traffic Jon Wrote:
Please can you advise for incoming Traffic.i,e for VPN users,what ISPs address should be pointed to, on the vpn client software configuration?
Thanks
12-31-2009 12:28 AM
Dear the config i put above more than enough for your nating config
you can apply it to both of you routers only change the used IPs and interface numbers
also if you want to configure nating for inbound VPN i did put static PAT config example for only VPN IPsec ports required, also change the internal ip address of that static nat to the ASA outside IP
try it and if you have any issue post it here
good luck
if helpful Rate
12-31-2009 12:34 AM
hello!
Questions
1)what about the exchange server?needs also a static nat from the router pointed to its IP?
2)Also i have two 3750 acting as CORE.so do i need to configure it for HSRP or GLBP,also bear in mind that my asa's are active/standby
3)for vpn user the ip should be pointed is the outside ip address,right?
4)the interfaces peer with the 2 isp has to be real ip address?
any advise here
Thanks
12-31-2009 04:15 AM
1. if you need access from Internet to the exchange server then yes you need either additional real IP from the ISP especially if its required for DNS in the Internet
if not, i mean only limited access required to the exchanged such as outlook web access you may use the IP you have from your ISP
with static pat like the vpn config above
for example to nat http and https traffic coming to the outside IP of the router
ip nat inside source static tcp x.x.x.x 80 interface fa0/0 80
ip nat inside source static tcp x.x.x.x 443 interface fa0/0 443
where x.x.x.x the exchange server IP and fa0/0 your external interface to the ISP you may use dialer interface if you have pppoe setup in your router
Note: do not nat the IP of the exchange server in the ASA to make it reachable by the router through its real configured ip in the LAN
use nat 0 logic mentioned above to exclude your LAN or only exchange server from being nated
2. if you talking about the switches in the LAN behind the ASAs then i think HSRP will be better as your ASAs in active standby thats mean you have one active at a time
also configure the Internet routers with HSRP as Jon mentioned you have one link with 6 M and the other with 1 better to have the one with 6 as the active
however you might configure GLBP to use wighted loadbalncing with a wighted loadbalncing of 6:1
it means 6 sessions will go through the router with 6 M and 1 seesion through the other one
But because you have inbound traffic not only outbound this might lead to asymmetrical routing which is better to stay away from it
go with HSRP
3.based on the example we discussed here and above yes the outside IP of the router and in the router you will nated to the outside ip of the ASA
4. yes
good luck
and thanks for the rating
12-31-2009 04:56 AM
Hello Marwan!
just additional question,my exchange resides on the DMZ interface of the asa,any advise here also
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide