2 isp setup on edge router

Zaid Farooqui · ‎08-08-2011

hi,

i have a scenario ( as attached in the pic) where our internal networks 172.16.0.0/24 & 192.168.0.0 /24 connect to router A.

inside network -- Router A -- outside (public routed ip pool from ISP 1) -- Router B -- ISP 1

router A connects to router B which has ISP 1 terminating its last mile . a public IP pool is provided by ISP 1 which resides between the routers A & B.

means that the ISP connects to our edge via private cloud and they have a public routed pool given to us which we use in between router A & B.

all VPN users dial vpn using the public IP set at router A 202.x.x.1.

this setup works well for us all internal networks access internet via router A which nats the traffic while leaving for router B after ehich it is routed to ISP1.

now a secondry isp is needed which needs to terminate on the edge router also. this isp however has given only a public ip address to use on our end directly 125.x.x.1 .

I have successfuly established a IP SLA failover with multi homing using dual nats / route maps while use the secondry ISP on router A,

but the ISP2 link needs to be on the router B as it is the internet Edge router and this is where my problem starts...

i have tried doing the following

inside traffic from router A (LAN facing interfaces marked as inside) has a default router to router B which while exiting router A (from interface facing router B marked as outside) gets natted with 202.x.x.1 and goes through router B to ISP 1

on router B, interface facing router A is marked as inside and interface facing ISP 2 is marked as outside. how do i nat specific traffic (via ACL) originating from internal network 172.16.0.x and 192.168.0.x to be aloowed to go through ISP 2 ?

i have successfully setup IP SLA between ISP 1 & 2 the default routes are switched successfully , i am unable to manipulate the natting part.

any help would be great... wouldnt the traffic exiting from router A (which is natted with 202.x.x.1) reach the router B with source header also from 202.x.x.1 ?? which i then try to nat again with ISP2's public ip on interface ie 125.x.x.1 ??

isnt there a way where i do not nat anything exiting from router A and instead control all natting on the router B ?? im just confused.....

Marwan ALshawi · ‎08-08-2011

Hi

from your description and the attached digram i can see that all the required configuration need to be done on the Internet edge router which is router B for NATing to two differnt ISPs also you could improve your Internet routing by using reliable PBR using PBR with IPSLA so for example you can keep using your ISP1 for VPN traffic and use ISP2 for http and ftp for example

by using ACL matches IPse and ACL matches http and ftp and use in your PBR and the ISPs will work in failover mode in the case of one link down, but for VPN you do not need to have failover as the range of Public IPs from ISP1 only

anyway all waht you need for nating is a route map that match the exit interface of each ISP/NAT

please refer to the bellow link which will guide you step by step how to configure it

https://supportforums.cisco.com/docs/DOC-8313

HTH

if helpful Rate

Zaid Farooqui · ‎08-11-2011

Hi thanks for the reply and the article i would surely follow..

there is one more thing, in my scenario we have

LAN 172.16.0.0/24 ------ router 1--------- router 2 ---- isp 1 & isp 2

the article is based on the fact that the LAN connects to router 2 directly, however in my scenario we connect to router 1 where we have a nat command for traffic exiting from router 1 to router 2 which is controlled by an ACL to choose selected ip addresses which are allowed to be natted .

when this traffic exits router 1 (natted with public IP of isp 1) and enters router 2 from where there is a default route to the isp 1 gateway ( probably a router placed at their location)

now my question is should i do this (and if yes can you please explain how)

instead of nattting traffic on router 1 (with public ip of rotuer 1) i simple forward selected traffic out of router 1 (by using ACL on exit interface) to router 2 with their original header of 172.16.0.0 .....

then on router 2 i define a pool for public IP ( a single public IP address given by isp1) which i use to nat traffic while exiting out router 2's interface for isp 1 gateway ..

here is my preception of how the config should be like .. : ( need your help to see if its correct.)

Router 1

interface GigabitEthernet0/0
description *******USER VLAN 1
ip address 172.16.0.254 255.255.255.0
!
interface GigabitEthernet0/1
description *******SERVER VLAN 101
ip address 192.168.0.254 255.255.255.0
!

interface Vlan3 (access port mapped on fe 0/0/3 , rotuer 1's exit interface for internet edge router)

description *******INTERNET ROUTER on fe0/03*********

ip address 202.x.x.97 255.255.255.240 ( this public ip pool is given by isp 1 which is routed behind their private cloud)

crypto map clientmap ( this interface also accepts vpn client cnnections via cisco ipsec vpn client)
ip access-group INTERNET-ACCESS out

!

ip route 0.0.0.0 0.0.0.0 202.x.x.98 (this is router 2 interface IP facing router 1)

ip access-list extended INTERNET-ACCESS (this access list needs to be applied on the router 1 exit interface)

permit ip host 172.16.0.1 any (ip allowed to reach internet)

! end

Router 2

interface Vlan3 (interface connecting to router 1)

ip address 202.x.x.98 255.255.255.240
ip nat inside

ip policy route-map PBR

interface GigabitEthernet0/0 ( last mile connectivity using ISP's own private subnet)

description ****** ISP 1 ***********

ip address 192.168.79.110 255.255.255.252

ip nat outside

interface Vlan4 ( last mile connectivity for ISP 2 using its public ip address

description *********** ISP 2 *********

ip address 125.y.y.18 255.255.255.252

ip nat outside

please see if ia m following this correctly ....

ip nat inside source route-map ISP1 interface gigabitethernet 0/0 overload

ip nat inside source route-map ISP2 interface vlan 4 overload

ip route 0.0.0.0 0.0.0.0 192.168.79.109 track 10

ip route 0.0.0.0 0.0.0.0 125.y.y.17 track 20

track 10 rtr 1 reachability

delay down 1 up 1

!

track 20 rtr 2 reachability

delay down 1 up 1

!

ip sla 1

icmp-echo 192.168.79.109

timeout 500

threshold 500

frequency 3

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 125.x.x.17

timeout 500

frequency 1

ip sla schedule 2 life forever start-time now

access-list 100 permit tcp 172.16.0.0 0.0.0.255 any eq telnet

access-list 100 permit tcp 172.16.0.0 0.0.0.255 any eq www

access-list 100 permit tcp 172.16.0.0 0.0.0.255 any eq 443

access-list 101 permit ip any any

route-map PBR permit 10

match ip address 100

set ip next-hop verify-availability 125.y.y.17 1 track 20

!

route-map PBR permit 30

match ip address 101

set ip next-hop verify-availability 192.168.79.109 2 track 10

!

thanks for the help .... regards zaid

Marwan ALshawi · ‎08-11-2011

Hi Zaid

your idea is better

but as long as ISP1 provided you with range of public IP address why you wasting 2 IPs and use to connect R1 to R2

you can simplify it and configure the interface between R1 and R2 as private range for example 10.1.1.1/30

and keep all the control on R2 for PBR, NATing and ACLs

also you need to add a stat NAT entry for the VPN access to NAT it from the Puclic IP provided to remote VPN users to the private IP suggested above

172.16.0.0 ---- R1--.1---10.1.1.0/30 --.2--R2----internet

NAT in R2 the VPN public IP to 10.1.1.1 so that the VPN works on R1

in this case you can use the article i provided to you to configure the PBRs and NATing

let me know if you goign to do it this way and if yes post your config before you apply to check it for you

good luck

plz rate the helpful posts

Zaid Farooqui · ‎08-11-2011

thats a neat idea too ...

im weak at natting .. how do i nat on R2 so it brings the vpn traffic to R1 ?

Marwan ALshawi · ‎08-12-2011

ip nat inside source static 10.1.1.1 x.x.x.x

where x.x.x.x is the public ip you use for the VPN and 10.1.1.1 is the private IP address to be given to R1

make sure the VPN encapsulation uses ESP in the transport

the above will NAT everything to x.x.x to 10.1.1.1

if you want only VPN to be NATED you can use the static PAT bellow

ip nat inside source static esp 10.10.10.1 x.x.x.x

ip nat inside source static udp 10.10.10.1 500 x.x.x.x 500

HTH

Zaid Farooqui · ‎09-06-2011

Hi Marwan,

sorry for the late reply was on vacations ... now got back to finish the work ...

i am posting the config for my 2 routers for you to check...

router 1 is Cisco 2911 (Firewall) and router 2 is also Cisco 2911 (Internet Edge Router)

(we call is firewall as this will be replaced with ASA in future)

User LAN 172.16.0.0/24 & Server Farm 192.168.0.0/24------(ROUTER1)---172.16.200.8/30---(ROUTER2)------ ISP1 202.163.x.x & ISP2 202.141.y.y

i had to user ACL group for outbound on router 1's interface which connects to router 2 as i have to select specified IPs from 172.16.0.0 and 192.168.0.0 subnet which are allowd to the internet edge router..

then on the router 2 i use destination based PBR to divert traffic..

can you please check if i have messed up somthing

ROUTER1 FIREWALL

## user for VPN

username zaid privilege 0 secret 5 $1$2LV1$6xcxxcxcdcdcdc

!
### VPN Configuration

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key cisco12345
dns 192.168.0.100 192.168.0.101
pool ippool
!

crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
## Interface connecting to the user LAN

interface GigabitEthernet0/0
description *******CORE SWITCH USER VLAN 1 - SUBNET *********
ip address 172.16.0.254 255.255.255.0
ip helper-address 192.168.0.100
ip helper-address 192.168.0.101
ip directed-broadcast
ip nbar protocol-discovery
ip flow ingress
ip virtual-reassembly
duplex auto
speed auto
!
!
## Interface connecting to the server farm

interface GigabitEthernet0/1
description *******CORE SWITCH SERVER VLAN 101 - SUBNET *********
ip address 192.168.0.254 255.255.255.0
ip directed-broadcast
ip nbar protocol-discovery
ip flow ingress
ip virtual-reassembly
duplex auto
speed auto
!
!
## Interface connecting to Internet Edge Router & Interface for accepting VPN traffic

## out ACL is implemented to control which internal traffic is allow to go to the internet Router (eg proxy servers mail servers, etc etc)

interface GigabitEthernet0/2
description ******* FIREWALL TO INTERNET EDGE - Private SUBNET *********
ip address 172.16.200.9 255.255.255.252
duplex auto
speed auto
crypto map clientmap
ip access group INTERNET-ACCESS out
!

interface FastEthernet0/0/0
switchport access vlan 2
!

!
##Interface connecting to MPLS Edge Router for branches

interface Vlan2
description *******DATA ROUTER - SUBNET fe0/0/0 *********
ip address 172.16.200.1 255.255.255.248
ip nbar protocol-discovery
ip flow ingress
!

## IP pool for VPN Clients

ip local pool ippool 172.16.100.10 172.16.100.50
!
## Default Route to Internet Edge Router

ip route 0.0.0.0 0.0.0.0 172.16.200.10

## Branch Routes to MPLS Edge Router

ip route 172.16.10.0 255.255.255.0 172.16.200.2
ip route 172.16.11.0 255.255.255.0 172.16.200.2
ip route 172.16.12.0 255.255.255.0 172.16.200.2
ip route 172.16.13.0 255.255.255.0 172.16.200.2
ip route 172.16.14.0 255.255.255.0 172.16.200.2
ip route 172.16.15.0 255.255.255.0 172.16.200.2
ip route 172.16.16.0 255.255.255.0 172.16.200.2
ip route 172.16.150.0 255.255.255.0 172.16.200.2
!

## acccesslist for controlling which trafic goes to the internet Edge router via Gi0/2 interface

ip access-list extended INTERNET-ACCESS
permit ip host 192.168.0.2 any
permit ip host 192.168.0.10 any
permit tcp host 192.168.0.51 any eq 993
permit tcp host 192.168.0.51 any eq 995
permit tcp host 192.168.0.51 any eq 465
permit tcp 172.16.0.0 0.0.0.255 any eq 993
permit tcp 172.16.0.0 0.0.0.255 any eq 995
permit tcp 172.16.0.0 0.0.0.255 any eq 465
permit ip 172.16.0.0 0.0.0.255 host 202.12.1.45
permit tcp 172.16.0.0 0.0.0.255 host 124.29.245.51 eq 7795
permit ip host 172.16.0.86 any

END

INTERNET EDGE ROUTER

## Interface connecting to FIREWALL also set as inside

## Interface is also defined for PBR

interface GigabitEthernet0/0
description ********** FIREWALL SUBNET ***********
ip address 172.16.200.10 255.255.255.252
ip nat inside
duplex auto
speed auto
ip policy route-map PBR
!
!
## Interface connecting to ISP1 Fiber media converter with their private IP address

interface GigabitEthernet0/1
description ********** CYBERNET - SUBNET ***********
ip address 192.168.79.110 255.255.255.252
ip nbar protocol-discovery
ip flow ingress
duplex auto
speed auto
ip nat outside

!
!

interface FastEthernet0/0/2
switchport access vlan 3

!
interface FastEthernet0/0/3
switchport access vlan 4
!
## Interface with ISP 1 Public IP address (routed pool behind the private last mile)

## Users also use this IP address to dian in VPN via cisco ipsec vpn client

interface Vlan3
description ********** CYBERNET - Public SUBNET ***********
ip address 202.163.x.x 255.255.255.240
ip nbar protocol-discovery
ip flow ingress
ip nat outside
!
!
## Interface with ISP2 public ip address

interface Vlan4
description ********** MULTINET - Public SUBNET ***********
ip address 202.141.y.y 255.255.255.252
ip nbar protocol-discovery
ip flow ingress
ip nat outside
!

## default routes with tracking as per doc

ip route 0.0.0.0 0.0.0.0 192.168.79.109 track 10
ip route 0.0.0.0 0.0.0.0 202.141.y.z track 20

## routes to internal user LAN & server farm via router 1

ip route 192.168.0.0 255.255.255.0 172.16.200.9
ip route 172.16.0.0 255.255.255.0 172.16.200.9
!

## ip sla config as per doc
ip sla 1
icmp-echo 192.168.79.109
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now

ip sla 2
icmp-echo 202.141.2x.1x
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now

track 10 rtr 1 reachability
delay down 1 up 1
!
track 20 rtr 2 reachability
delay down 1 up 1
!

## ACL 10 selects all traffic forwarded from Router 1 with 172.16.200.0/24 header

access-list 10 permit 172.16.200.0 0.0.0.255

## ACL > CYB for all traffice comming from FIREWALL (Router 1)
ip access-list ex CYB
permit ip host 172.16.200.9 any

## ACL > MUL for tcp 993, 995, 465 and host 202.163.1.2 comming from FIREWALL (Router 1)
ip access-list ex MUL
permit tcp host 172.16.200.9 any eq 993
permit tcp host 172.16.200.9 any eq 995
permit tcp host 172.16.200.9 any eq 465
permit ip host 172.16.200.9 host 202.163.1.2

## Policy routing , FIRST checks ACL > MUL and for all mating traffic set next hop to ISP 2

route-map PBR permit 10
match ip address MUL
set ip next-hop verify-availability 202.141.y.z 2 track 10
!

## Policy routing, SECOND checks ACL > CYB and for all remaining traffic set next hop to ISP 1

route-map PBR permit 30

match ip address CYB

set ip next-hop verify-availability 192.166.70.109 1 track 20

!

## Policy routing to control ISP 1 nat, which matches ACL 10

route-map CYB permit 10
match ip address 10
match interface vlan3
!
## Policy routing to control ISP 2 nat which matches ACL 10

route-map MUL permit 10
match ip address 10
match interface vlan4

## nat commands for both ISPs

ip nat inside source route-map CYB interface vlan 3 overload
ip nat inside source route-map MUL interface vlan 4 overload

## Static NAT / PAT for VPN Traffic, which is forwarded to 172.16.200.9 (router1's gi0/2 interface) which is set to accept vpn traffic

ip nat inside source static esp 172.16.200.9 202.163.x.x
ip nat inside source static udp 172.16.200.9 500 202.163.x.x 500

## Static NAT / PAT for Exchange Traffic

ip nat inside source static tcp 192.168.0.103 25 202.163.x.9x 25
ip nat inside source static tcp 192.168.0.103 443 202.163.x.9x 443

Message was edited by: Zaid Farooqui

Marwan ALshawi · ‎09-06-2011

Hi Zaid

welcome b ck and good luck with your changes

about your config it looks ok
however i have couple of notes

1- you seem to be using interfaces vlan3 and 4 for outside connectivity and NATing
why thn eyour default route here using the interface with private IP

ip route 0.0.0.0 0.0.0.0 192.168.79.109 track 10
and the interface with private IP is being used in the NAT route-mpas and as not IP na tout side
check this point

wiht the PBR
config bellow

route-map PBR permit 30

match ip address CYB

set ip next-hop verify-availability 192.166.70.109 1 track 20

your trafifc soruced from R1 which including VPN will go to th eprivate IP ISP link and no NATing will happen !
is this wha you want ?

2-just update this line
ip nat inside source static esp 172.16.200.9 202.163.104.97

so th eabove public IP users will used fo rVPN access which is through diffrent ISP i asusme but the PBR will send the
traffic back from the R1 to ISP link wiht the private IP diffent path and not nating then you will have issue with the VPN

by the way make sur eyou hide you public IPs here better for you

now in general your config ok you need to review the ISP link and VPN bit only

if you have a lab or GNS its better to test it before you put it in production

HTH

Zaid Farooqui · ‎09-06-2011

hi,

yes i used the private ip (which is the ISP1's next hop) on the fiber link in the default route, hoever while leaving this interface the packet needs to be natted with the ISP1's public IP which is set on vlan 3..

so i guess ill have to add "ip nat outside" on the interface gi0/1 also ..

for tracking also i am using the private ip address as this address is the ip of the ISP router port .. ( they do not have public IP address on the next hop gateway device)

point 2 yes that was a typo ip nat inside source static esp 172.16.200.9 202.163.x.x .. not that the private ip interface is set as outside so the traffice should be natted witht eh 202.163.x.x public ip address for ISP1 and the vpn should work..

right ? i will test it tomorrow hopefully

Marwan ALshawi · ‎09-06-2011

ok so ISP one they will route the public IP even if it comes over the private IP link ? if this is the case not problem

but in your nating you need the ip nat outside on that interface

and also you need the match interface to be the one with private IP as this represent the exit interface

once you test le tme know about the result or if you have nay issue

good luck