Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Inbound connections with dual ISP's

Any idea's...

I've read the doc about dual ISP connections (outbound): http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Take from the above document "As described in this document, this setup may not be suitable for inbound access to resources behind the security appliance. Advanced networking skills are required to achieve seamless inbound connections. These skills are not covered in this document."

So the question is: Where is the documentation for inbound connections?

..but for the meantime without the doc, I'm thinking this could be done with a second NAT statement, additional ACL and an additional IP address on the server in question.

Something like:

interface Ethernet0

nameif outside

security-level 0

ip address *1st ISP Public IP*

interface Ethernet1

nameif backup

security-level 0

ip address *2nd ISP Public IP*

global (outside) 1 interface

global (backup) 1 interface

route outside 0.0.0.0 0.0.0.0 *1st ISP Gateway* 1 track 1

route backup 0.0.0.0 0.0.0.0 *2nd ISP Gateway* 254

sla monitor 151

type echo protocol ipIcmpEcho *object to ping* interface outside

num-packets 3

frequency 10

sla monitor schedule 151 life forever start-time now

track 1 rtr 151 reachability

static (inside,outside) *1st ISP Public IP* 192.168.1.1 netmask 255.255.255.255

static (inside,outside) *2nd ISP Public IP* 192.168.1.2 netmask 255.255.255.255

access-list inbound line 1 extended permit tcp any host *1st ISP Public IP* eq *port*

access-list inbound line 2 extended permit tcp any host *2nd ISP Public IP* eq *port*

Any thoughts?

Thanks

--Mark

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Inbound connections with dual ISP's

Looks like that should work...a few mistakes though...

static (inside,backup) *2nd ISP Public IP* 192.168.1.2 netmask 255.255.255.255

access-list inbound_backup extended permit tcp any host *2nd ISP Public IP* eq *port*

access-group inbound_backup in interface backup

6 REPLIES
Green

Re: Inbound connections with dual ISP's

Looks like that should work...a few mistakes though...

static (inside,backup) *2nd ISP Public IP* 192.168.1.2 netmask 255.255.255.255

access-list inbound_backup extended permit tcp any host *2nd ISP Public IP* eq *port*

access-group inbound_backup in interface backup

Community Member

Re: Inbound connections with dual ISP's

Great! thanks for the confirmation and pointing out my errors :o)

Will try this out at the weekend

oh and before anyone mentions access-groups:

access-group inbound in interface outside

access-group inbound_backup in interface backup

;o)

Green

Re: Inbound connections with dual ISP's

Good luck, be sure to let us know if it works out.

Community Member

Re: Inbound connections with dual ISP's

Will do!

Green

Re: Inbound connections with dual ISP's

Who rated that a 1 and why? Care to explain?

Community Member

Re: Inbound connections with dual ISP's

Anyone!!

Since I rated and ticked resolved my issue after acomiskey 1st answer, I think it's unfair for someone to devalue my points!

304
Views
10
Helpful
6
Replies
CreatePlease to create content