×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Use one ISP for outbound internet and second ISP for inbound access to servers

Document

Mon, 11/30/2009 - 11:41
Nov 27th, 2009
User Badges:

If you have two ISPs and you want to use the first one for outbound internet access for hosts on your inside network and use the second ISP for people on the internet to access your servers.


dual_isp.JPG



interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/1
nameif backup
security-level 0
ip address 2.2.2.1 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/3
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0


global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,backup) 2.2.2.4 172.16.1.2 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 1.1.1.3 1
route backup 0.0.0.0 0.0.0.0 2.2.2.2 2

Loading.
csco10716389 Fri, 11/27/2009 - 22:20
User Badges:

Tanveer,


It is possble put specific route rather than default for both the routes.

Nat is ok for (Inside,Outside) and (DMZ,Backup) ......u have to add specific route for accesing the backup link from DMZ or on the firewall.....thanks

Tanveer Deewan Sat, 11/28/2009 - 06:59
User Badges:

We don't need and can't have a specific route as the source of inbound traffic can be anyone on the internet. The configuration is tested and it works fine. This is not my question but more of a sample configuration for anyone to use.

manfernandez Sun, 11/29/2009 - 07:20
User Badges:

Tanveer,


Wouldn't this load balance accross both thos equal cost routes?  You would need some sort of PBR which I believe is not available (https://supportforums.cisco.com/docs/DOC-6069;jsessionid=8271C313440757D113FACC1737C6CABE.node0 ) else the packet would have issues on the other end becuase the remote firewall would send a SYN to ISP B's NATed Address and when the Server responds, it will be through ISP A's IP hence on the remote end would look like an out of state packet and would be dropped.


I could be wrong though.

Tanveer Deewan Mon, 11/30/2009 - 11:41
User Badges:

route outside 0.0.0.0 0.0.0.0 1.1.1.3 1
route backup 0.0.0.0 0.0.0.0 2.2.2.2 2


The backup route has a higher metric so it will not show in the routing table. However it does exist in the 'topology table' in the ASA. Use ' sh asp table routing' to verify that.


When the SYN packet from client on internet hits the 'backup' interface of the ASA, it forwards that to the server in DMZ and builds a state/connection table for that. The return SYN-ACK packet from the server is routed based on the existing connection. This is when the 'backup' route with higher metric comes in play and the ASA forwards the packet to 2.2.2.2 device.

In short, this will only work for connections that are initiated from Internet destined to the backup interface subnet.

Actions

This Document

Related Content