Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3335
Views
0
Helpful
18
Replies

Dual ISP splitting traffic

Robert Murdock
Level 1
Level 1

‎02-05-2015 11:30 AM - edited ‎03-05-2019 12:43 AM

Hello Cisco geniuses!

      I have a network where I am required to split traffic between two ISPs.  ISP1 (Verizon) and ISP2 (Comcast).  ISP1 uses T1 connections and ISP2 uses a standard cable modem.  Currently all of my traffic goes out of the T1 connection but I would like for HTTP(80) and HTTPS(443) to go out of my ISP2 connection.  On ISP1 I need to have clients come in on ports 500 for S2S VPN, 8421 IBM Access, 3024 IBM Access.

  I have actually programmed my 2811 and had my PBR working but all of a sudden it stopped.  Unfortunately my syslog and NCM did not record any changes to the routers and the routers were written and configs saved and backed up.  Im not sure if my ISP2 modem failed because my PBR no longer works.  If you could find it in your hearts to review my config and see if anything is missing.

interface MFR1
 mtu 4470
 no ip address
 no ip redirects
 no ip proxy-arp
 encapsulation frame-relay IETF
 no ip mroute-cache
 load-interval 30
 no arp frame-relay
 frame-relay multilink bid to u300785
 frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
 ip address 152.179.XX.XX 255.255.255.252
 ip access-group 110 in
 no ip redirects
 no ip proxy-arp
 no cdp enable
 no arp frame-relay
 frame-relay interface-dlci 500 IETF   
!
interface FastEthernet0/0
 description to ASA5520
 ip address 65.216.XX.XX 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map COMCAST_TRAFFIC
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Interface to ISP2
 ip address 23.31.XX.XX 255.255.255.248
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable

ip route 0.0.0.0 0.0.0.0 152.179.XX.XX (default route to ISP1)

!

!

!

access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq 443
access-list 120 permit udp any any eq domain
access-list 120 deny   udp any any eq ntp
access-list 120 deny   udp any any eq 8933
access-list 120 deny   udp any any eq 8943
access-list 120 deny   udp any any eq 19560
access-list 120 deny   udp any any eq 65535
access-list 120 deny   tcp any any eq 1025
access-list 120 deny   udp any any eq 1025
access-list 120 deny   tcp any any eq 8933
access-list 120 deny   tcp any any eq 8943
access-list 120 deny   tcp any any eq 19560
access-list 120 deny   tcp any any eq 65535
access-list 120 deny   tcp any any eq 50
access-list 120 deny   tcp any eq 51 any
access-list 120 deny   tcp any any eq 51
access-list 120 deny   tcp any eq 500 any
access-list 120 deny   tcp any eq 4500 any
access-list 120 deny   tcp any eq 50 any
access-list 120 deny   udp any eq 50 any
access-list 120 deny   udp any eq 51 any
access-list 120 deny   tcp any eq 4820 any
access-list 120 deny   tcp any eq 4823 any
access-list 120 deny   tcp any eq 4822 any
access-list 120 deny   tcp any eq smtp any
access-list 120 deny   tcp any eq 5223 any
access-list 120 deny   ahp any any
access-list 120 deny   ip any any
access-list 120 deny   tcp any eq 8421 any
access-list 120 deny   tcp any eq 3024 any
access-list 120 deny   udp any eq 3024 any
access-list 120 deny   udp any eq 8421 any

!

!

!

access-list 110 permit ip any any
access-list 110 deny   53 any any
access-list 110 deny   55 any any
access-list 110 deny   77 any any
access-list 110 deny   pim any any
access-list 110 deny   ip host 0.0.0.0 any
access-list 110 deny   ip 127.0.0.0 0.255.255.255 any
access-list 110 deny   ip 192.0.2.0 0.0.0.255 any
access-list 110 deny   ip 224.0.0.0 31.255.255.255 any
access-list 110 deny   ip 10.0.0.0 0.255.255.255 any
access-list 110 deny   ip 172.16.0.0 0.15.255.255 any
access-list 110 deny   ip 192.168.0.0 0.0.255.255 any
access-list 110 deny   ip 207.159.122.144 0.0.0.7 any

 

!

!

route-map COMCAST_TRAFFIC permit 10
 match ip address 120
 set ip next-hop 23.31.XX.XX

 

Labels:
Preview file
88 KB
0 Helpful
18 Replies 18

Robert Murdock
Level 1
Level 1
In response to Amit Goyal

‎02-07-2015 09:05 PM

If I were to change the default route.  Should my new pbr be placed on the Lan facing interface or the ISP 1 facing interface?

0 Helpful

Amit Goyal
Level 1
Level 1
In response to Robert Murdock

‎02-07-2015 10:26 PM

>PBR will still be placed on LAN interface.

>While going out this traffic will be NATed to public ip of ISP1.

>For return traffic it has to come back via ISP1 only (no need to make any change for this)

 

0 Helpful

Robert Murdock
Level 1
Level 1
In response to Amit Goyal

‎02-09-2015 07:42 AM

I changed my default route to 0.0.0.0 0.0.0.0 23.31.xx.xx.  My internet speeds were normal at 100Mb/s.  I created a new ACL (ACL 140) and a new PBR (VZ).  I applied this ACL to my newly created PBR and placed it on the LAN facing interface.  My internet at my corporate office works fine and the speeds are great but my external clients cannot connect to my services using my ISP1 ip address.  I believe my NAT statements are incorrect on this router when i change my default route to my ISP2.  Also just added information my clients connect to a server using public IP 65.216.XX.XX which is NATTED to 10.0.0.10 behind my ASA.  My ASA has static (inner,outside) tcp 65.216.XX.XX 8421 10.0.0.10 8421 netmask 255.255.255.255.  Should I change this static information as well?  Or should the NAT on my dual isp router handle this?  My config is shown below and a network diagram is attached.

 

interface MFR1.500 point-to-point

 description interface to ISP1
 ip address 152.179.XX.XX 255.255.255.252
 ip access-group 110 in
 no ip redirects
 no ip proxy-arp
 no cdp enable
 no arp frame-relay
 frame-relay interface-dlci 500 IETF

interface FastEthernet0/0
 description to Office LAN and ASA5520
 ip address 65.216.XX.XX 255.255.255.248
 ip access-group 130 in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map VZ
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Interface to ISP2
 ip address 23.31.XX.XX 255.255.255.248
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable

ip route 0.0.0.0 0.0.0.0 23.31.XX.XX (ISP2 MODEM ADDRESS)

 

ip nat inside source route-map cable-nat interface FastEthernet0/1 overload

 

!

access-list 110 deny   53 any any
access-list 110 deny   55 any any
access-list 110 deny   77 any any
access-list 110 deny   pim any any
access-list 110 deny   ip host 0.0.0.0 any
access-list 110 deny   ip 127.0.0.0 0.255.255.255 any
access-list 110 deny   ip 192.0.2.0 0.0.0.255 any
access-list 110 deny   ip 224.0.0.0 31.255.255.255 any
access-list 110 deny   ip 10.0.0.0 0.255.255.255 any
access-list 110 deny   ip 172.16.0.0 0.15.255.255 any
access-list 110 deny   ip 192.168.0.0 0.0.255.255 any
access-list 110 deny   ip 207.159.122.144 0.0.0.7 any

!

access-list 140 remark ==VerizonACCESS==
access-list 140 remark -VPN ACCESS-
access-list 140 permit tcp any any eq 500
access-list 140 permit udp any any eq 4500
access-list 140 remark -JD Edwards-
access-list 140 permit tcp any any eq 3024
access-list 140 permit udp any any eq 3024
access-list 140 permit tcp any any eq 8421
access-list 140 permit udp any any eq 8421
access-list 140 remark -Spark Access-
access-list 140 permit tcp any any eq 5222
access-list 140 permit udp any any eq 5222
access-list 140 permit tcp any any eq 5223

!

!

!

route-map VZ permit 10
 match ip address 140
 set ip next-hop 152.179.XX.XX (ISP1 SIDE)

 

 

Preview file
84 KB
0 Helpful

Robert Murdock
Level 1
Level 1
In response to Amit Goyal

‎02-09-2015 11:28 AM

Would a static mapping bring in that traffic from my clients connecting to the 65.216.xx.xx:3024?  I had found this on another forum.

ip nat inside source route-map cable-nat interface F0/1 overload

ip nat inside source static tcp 65.216.XX.XX 3024 interface F0/0 3024

 

access-list 130

access-list 130 permit ip host 65.216.XX.XX any
access-list 130 permit ip host 65.216.XX.XX any

 

route-map cable-nat

match ip address 130

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card