Multi-homed internet connection

Unanswered Question
Jan 19th, 2010
User Badges:

I have the following components, ISA Server, two standalone PIX firewalls, two internet routers (800 series)


Currently only one router is being used for internet access.

We now have a second internet DSL connection and want to use one connection for exclusive use of buisiness critical applications, the other connection will be used for general internet browsing. The "problem" is that all clients use the ISA server as gateway. Normally I would implement something like a route-map to set the next-hop...


thanks in advance for any feedback

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mohamed Sobair Tue, 01/19/2010 - 05:57
User Badges:
  • Gold, 750 points or more

Hi,


Does the third Internet connection terminates on the same router, or it has seperate router?


I am assuming the default GW for the ISA is the Active pix and the Pix points to one of the routers.


The Security Appliance doesnt support PBR , and would therfore PBR has to be implemented on the router terminates both connections and uses the ADSl connection for the critical application.



HTH

Mohamed

vergeerf Sat, 01/23/2010 - 02:19
User Badges:

>Does the third Internet connection terminates on the same router, or it has seperate router?


a seperate router (actually the second internet connection) no the third.


It's good to know that PBR is not supported on the PIX / ASA


Thanks for your input

vilaxmi Tue, 01/19/2010 - 06:41
User Badges:
  • Cisco Employee,

Hello,


I see that you need to use ONE ( DSL ) internet line for normal internet surfing (port 80 traffic) and another line for business critical applications.

First of all,  I would like to inform you thatyou can not use your second ISP  ALONG with your primary ISP as Cisco ASA cannot do Policy Based Routing. Please check :


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#pbr



Now, since you need to send a FIXED port traffic to one circuit , we have a workaround developed for such cases :



nat (inside) 1 0 0

global (outside_1) 1 interface

global (outside_2) 1 interface


static (inside,outside_2) tcp 0.0.0.0 www 0.0.0.0 netmask 0.0.0.0


route outside_1  0 0 x.x.x.x //next hop router's IP address for ISP_1//

route outside_2 0 0 y.y.y.y  2 //next hop router's IP address for ISP_2 with an administrative Distance of 2 (higher than primary route)//


HTH


Vijaya

vergeerf Sat, 01/23/2010 - 02:20
User Badges:

Thanks for your input, I will try to setup of test environment before implementing this in production :-)

It's good to know that PBR is not supported on the PIX / ASA. Because I was thinking in this direction.

Actions

This Discussion