Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
0
Helpful
3
Replies

Help with two ISP and internal public server access

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-07-2010 04:37 PM - edited ‎03-06-2019 09:12 AM

Hi,

I think this is a simple question but I cannot get it to work.

I have a Router that has two Internet connections (two ISPs).

So, I have it configured to use one ISP as primary and the other as a backup.

I have this configuration:

ip route 0.0.0.0 0.0.0.0 FIRST_ISP 10 track 100
ip route 0.0.0.0 0.0.0.0 SECOND_ISP 30 track 300

I have the users getting out to the Internet as well via both ISPs:

ip nat inside source route-map METRO interface GigabitEthernet0/1 overload
ip nat inside source route-map SHDSL interface GigabitEthernet0/0.11 overload

route-map SHDSL permit 10
match ip address ACL_SHDSL
match interface GigabitEthernet0/0.11

route-map METRO permit 10
match ip address ACL_METRO
match interface GigabitEthernet0/1

Extended IP access list ACL_SHDSL
    10 permit ip 192.168.1.0 0.0.0.255 any (570286 matches)
    20 permit ip 192.168.2.0 0.0.0.255 any (1528684 matches)
    30 permit ip 192.168.3.0 0.0.0.255 any (655 matches)

Extended IP access list ACL_METRO
    20 permit ip 192.168.1.0 0.0.0.255 any (293732 matches)
    30 permit ip 192.168.2.0 0.0.0.255 any (1110951 matches)
    40 permit ip 192.168.3.0 0.0.0.255 any (467 matches)

Then, I have public servers, which I have static NAT rules for them to be accessed via both links and also get out:

ip nat inside source static 192.168.2.175 201.195.91.50
ip nat inside source static 192.168.2.177 201.195.91.51
ip nat inside source static 192.168.2.178 201.195.91.52
ip nat inside source static 192.168.2.179 201.195.91.53

ip nat inside source static 192.168.2.75 201.195.231.150 route-map METRO_75
ip nat inside source static 192.168.2.77 201.195.231.151 route-map METRO_77
ip nat inside source static 192.168.2.78 201.195.231.152 route-map METRO_78
ip nat inside source static 192.168.2.79 201.195.231.153 route-map METRO_79

route-map METRO_79 permit 10
match ip address ACL_METRO_79
match interface GigabitEthernet0/1
route-map METRO_78 permit 10
match ip address ACL_METRO_78
match interface GigabitEthernet0/1
route-map METRO_75 permit 10
match ip address ACL_METRO_75
match interface GigabitEthernet0/1
route-map METRO_77 permit 10
match ip address ACL_METRO_77
match interface GigabitEthernet0/1

IT_2821_Primario#sh access-l ACL_METRO_79
Extended IP access list ACL_METRO_79
    10 deny ip host 192.168.2.79 192.168.32.0 0.0.0.255
    20 permit ip host 192.168.2.79 any (89966 matches)
IT_2821_Primario#sh access-l ACL_METRO_78
Extended IP access list ACL_METRO_78
    10 deny ip host 192.168.2.78 192.168.32.0 0.0.0.255
    20 permit ip host 192.168.2.78 any (885581 matches)
IT_2821_Primario#sh access-l ACL_METRO_77
Extended IP access list ACL_METRO_77
    10 deny ip host 192.168.2.77 192.168.32.0 0.0.0.255
    20 permit ip host 192.168.2.77 any
IT_2821_Primario#sh access-l ACL_METRO_75
Extended IP access list ACL_METRO_75
    10 deny ip host 192.168.2.75 192.168.32.0 0.0.0.255
    20 permit ip host 192.168.2.75 any (139666 matches)

I have only 4 servers (.75 is .175, .77 is .177 and so on), so that every server can have an IP assigned from both ISPs.

The problem that I'm having is that I want the server to be accesible from any of the two Internet connections (DNS is replicated to both public IPs), but the servers get out to the Internet getting PAT'ed to the outside IP address of the Router.

Let's take for example server 192.168.2.79

When someone try to reach this server, it will use any IP 201.192.91.53 or 201.195.231.153

But when the server gets out to the Internet, it gets translated as part of the inside computers to the outside IP of the router.

Is this causing the problem?  How do I let the servers to be reachable from both links and make them response through the appropiate link as well?

Please help!

Thank you!

Federico.

Labels:
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-08-2010 02:33 AM

Duplicated post

let's go on in the other thread where Reza has answered

Best Regards

Giuseppe

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Giuseppe Larosa

‎01-08-2010 04:32 AM

Yes, I tried opening this thread to explain the situation a little bit better.

I've just answered the other post, to see if someone can help me with this problem.

Thank you.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Federico Coto Fajardo

‎01-13-2010 12:32 PM

I am posting again in the other threat. Please help!

Thank  you,

Federico.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card