Two ISPs to a single inside server on 2800 series router

Unanswered Question
Jan 13th, 2010
User Badges:

I would like to be able to use 2 ISPs to route inbound traffic to a single internal web server on a private IP. I'm using a 2800 series router with 2 ethernet ports. In the event that either ISP is down, this setup will allow for quick (and scriptable) failover via changes to public DNS.


example static IP address for ISP1: 173.x.x.226  (gateway address ending in .238)
example static IP address for ISP2: 69.x.x.196   (gateway address ending in .193)
example internal IP: 10.0.1.9
here are some relevant parts of the running configuration
/* I'm using static mappings like these:  */
ip nat inside source static tcp 10.0.1.9 80 173.x.x.226 80 extendable
ip nat inside source static tcp 10.0.1.9 81 69.x.x.196 80 extendable
/* two ethernet interfaces */
interface FastEthernet0/0
description FastEthernet to LAN
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip route-cache flow
ip policy route-map isp-egress-map
no ip mroute-cache
load-interval 30
duplex auto
speed auto
no mop enabled

interface FastEthernet0/1
description FastEthernet to ISP1 and to ISP2
ip address 173.x.x.237 255.255.255.240 secondary
ip address 69.x.x.194 255.255.255.248
ip nat outside
ip route-cache flow
no ip mroute-cache
load-interval 30
duplex auto
speed auto
/* two default routes with the faster ISP using the lower metric:  */
ip route 0.0.0.0 0.0.0.0 69.x.x.193 10
ip route 0.0.0.0 0.0.0.0 173.x.x.238 11
/* an ACL */
access-list 196 permit ip host 10.0.1.9 any
route-map isp-egress-map permit 10
match ip address 196
set ip next-hop 69.x.x.196
--or-- (not both route-maps at once, since they share a common ACL)
route-map isp-egress-map permit 10
match ip address 196
set ip next-hop 173.x.x.238
This configuration works for only one of the ISPs, depending on which version of the above route-map I use. Since the internal server is always at 10.0.1.9, I'm not sure how to differentiate which ISP to route the outbound traffic to.  Clearly using the inside IP is not working since it's always the same.
I've tried applying a modified version of this route-map on the inbound interface fe0/1, and used the outside address rather than the private address to do my matching against. This appears to fail as well, probably since NATing happens before ip policy routing in (according to Cisco's NAT order of operations on outside-to-inside traffic).
Any help will appreciated.
-Nash
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Wed, 01/13/2010 - 21:03
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

what's is the reason of having two redundant ISP links and you configure both of them under one interface ?


its beter to configure them under two diffrent interfaces


then you can have more controlled and redundant links


see the bellow link if you gonna configure two link then will help you


https://supportforums.cisco.com/docs/DOC-8313


good luck

if helpful Rate

nashweber Wed, 01/13/2010 - 21:36
User Badges:

Thanks for the reply.  Shortly after my post, I gave up on my original approach and went with two different interfaces (like you've suggested).  In fact I didn't even need to run two interfaces, but rather just two different IPs (on different private subnets) to each server interface where I need redundant internet connections.  This also required adding a secondary address to the LAN interface on the Cisco and a few new static NAT entries.  With this setup, I've got plenty of flexibility on route-maps, and can set the next-hop based on the (now) unique internal IPs.


-Nash

ohassairi Wed, 01/13/2010 - 21:56
User Badges:
  • Silver, 250 points or more

can you post the new working config

nashweber Wed, 01/13/2010 - 22:36
User Badges:

Sure, here's the relevant part of the config that I'm now using.  Bear in mind that this requires that the servers on the LAN answer to 2 different private IPs.  Just about any Linux / Unix / Windows box ought to be able to do this.  Each server (using the config below) must answer to an IP in the 10.0.1.x range as well as one in the 10.0.2.x range. The route-map called "isp-egress-map"  will look at the source private address and force the outbound traffic to use the correct ISP for it's next hop.



/* I'm using static mappings like these:  */
ip nat inside source static tcp 10.0.1.9 80 173.x.x.226 80 extendable
ip nat inside source static tcp 10.0.2.9 80 69.x.x.196 80 extendable
/* two ethernet interfaces */
interface FastEthernet0/0
description FastEthernet to LAN
ip address 10.0.1.1 255.255.255.0
ip address 10.0.2.1 255.255.255.0 secondary
ip nat inside
ip route-cache flow
ip policy route-map isp-egress-map
no ip mroute-cache
load-interval 30
duplex auto
speed auto
no mop enabled

interface FastEthernet0/1
description FastEthernet to ISP1 and to ISP2
ip address 173.x.x.237 255.255.255.240 secondary
ip address 69.x.x.194 255.255.255.248
ip nat outside
ip route-cache flow
no ip mroute-cache
load-interval 30
duplex auto
speed auto
/* two default routes with the faster ISP using the lower metric:  */
ip route 0.0.0.0 0.0.0.0 69.x.x.193 10
ip route 0.0.0.0 0.0.0.0 173.x.x.238 11
/* an ACL */
access-list 196 permit ip 10.0.2.0 0.0.0.255 any
access-list 197 permit ip 10.0.1.0 0.0.0.255 any
route-map isp-egress-map permit 10
match ip address 196
set ip next-hop 69.x.x.196
route-map isp-egress-map permit 10
match ip address 197
set ip next-hop 173.x.x.238
nashweber Wed, 01/13/2010 - 22:39
User Badges:

found a typo in the second route-map stanza, it should look like this:


route-map isp-egress-map permit 20



-Nash

Actions

This Discussion