Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315
Views
0
Helpful
3
Replies

Two ISPs to Cisco 2621 with backend f/w

hambyg
Level 1
Level 1

‎12-02-2008 01:52 PM - edited ‎03-04-2019 12:34 AM

Greetings all. I had a question on a design and would appreciate some thoughts. The customer has a Cisco 2621 with one ISP link via frame relay. Behind this is an existing firewall (not Cisco) that has an address on the ISP1 segment. The customer is getting a second ISP connection to the 2621 with an Ethernet handoff. So the config will look like:

ISP2 (Eth)-> 2621 <-(F/R) ISP1

|

F/W (ISP1 addr)

|

users

I'd like to setup the 2621 for failover - probably using object tagging - so that ISP2 takes over when ISP1 goes down. However, I'm thinking I'd need to NAT everything going to ISP2 so that the return traffic actually makes it back otherwise traffic sent using the existing ISP1 address of the firewall will not return, correct?

Does this sound plausible?

The other option would be to connect ISP2 straight to the firewall but I'm not sure they can spare their DMZ interface for this purpose.

Thanks in advance for an comments.

Labels:
0 Helpful
3 Replies 3

Harold Ritter
Cisco Employee
Cisco Employee

‎12-02-2008 02:56 PM

Gregg,

You are correct in saying that using ISP1 address while sending ISP2 as a backup will not work. NATing using ISP1 or ISP2 address sounds like a reasonable way to address this issue.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

hambyg
Level 1
Level 1
In response to Harold Ritter

‎12-02-2008 05:52 PM

Thanks for the reply. I'm hoping this will work so we don't have to do major reconfigurations on the firewall or change addresses.

Just out of curiosity, have you seen any documents/examples that speak to the SMB case of a single router or firewall with two ISPs? I've seen docs covering the ASA/PIX but they are failover only - no load balancing. I also found a Small Branch note on two IPSec tunnels via two broadband connections and they note that a split tunnel will require PNat but that config involves four Cisco devices, EIGRP, etc, etc.

I can't believe that this is not a very common scenario these days - small customer with two inexpensive ISP links who wants to get the most out of both?

Thanks again.

0 Helpful

hambyg
Level 1
Level 1
In response to Harold Ritter

‎12-03-2008 02:28 PM

Hello again. I'm still working on this config and at the moment am wondering how to get all my inside IP addresses xlated to the secondary ISPs address? I had assumed an "ip nat inside" command on the ethernet port connecting to the second ISP would do the trick but it doesn't seem to be working.

On the router, the interface connecting to my 2nd ISP has the ip nat inside command.

I then added the ip nat inside source static interface fastethernet 0/1 command and can see that I get a translation for my laptop's inside address to the outside IP of my 2nd ISP. Is that all I need for this to work? I see nothing on the Outside local <-> Outside Global side as I thought I didn't need outside NAT in this case?

Thoughts anyone?

Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card