12-19-2005 08:26 AM - edited 03-03-2019 11:15 AM
I have a Cisco 1841 router with an ADSL WIC and an SDSL WIC
Both are connected to in depended ISP with a pool of 16 IP address on each. One is 0.0.0.0/28 other 0.0.0.0/28
I have the ADSL WIC UNUBERED to Eth00 and SDSL WIC UNUBERED to ETH01
It seam when both off the WICS are enabled I can not ping an internet address from either network or tracert. If I disable one off the wics and the corrersponding Ethernet port it works fine. And it works find the other way round.
I think this might have some thing todo with routes. These are the two static routes I have set up for the WICS
Any help would be most welcome.
Jamie
12-19-2005 09:42 AM
Jamie
Without more information it is difficult to identify the problem that you are experiencing. It sounds to me like it may be caused by assymetric paths when both interfaces are connected. There is a possibility that you have access lists configured that may cause this. If you would post more detail of how the router is configured we may get closer to finding an answer.
HTH
Rick
12-19-2005 12:33 PM
Rick,
Thank you for getting back to me so quickly. I have saved the running config and access control list as txt files for you to look at.
Maybe if I tell you what im trying to achieve will help:
We already had an exiting ADSL line that was our main source off internet connectivity that rain from a cheap adsl router. Now that our company has grown and our users as well we need more bandwidth. So done some research and installed a SDSL line to go along side the ADSL line.
I wanted to offer the network with some fault tolerance and purchase the 1841 router to host both ADSL and SDSL connection. I wanted to configure the router to fail over to the other connection if one should fail. I was not really interested at load balancing at this stage. One off the other feature I wanted to-do is control what type of traffic was allowed outbound on the connection. E.g. we want to use ftp, RDP on the SDSP because it used the upload bandwidth and HTTP on the ADSL connection for the download bandwidth.
The Cisco router directly connects to a Watch guard firewall configured on drop mode. On the otherend of the watch guard we have an ISA 2004 server that acts as our VPN and router with all the bells and whistles. Well nearly. As with this configuration its important for our ISA server to have public ip address so our secure L2TP/IPSEC VPN connection connected with having to go throw NAT.
But if I enabled both off the WAN connection then its seams to knock both of them out.
Would the ISA server need a public IP address from both of the ISPs to support fail over?
I hope this gives you a clearer picture.
Jamie
12-20-2005 10:23 AM
Jamie
I have looked at the config and I have a couple of questions and observations. Am I correct in assuming that the firewall and the ISA server are "inside" the 1841 and connected to the Ethernets? Are they connected to one Ethernet or to both?
Am I correct is assuming that the IP subnets are address space that was assigned to you by each of the ISPs? And am I correct in assuming that the ISA server has an IP address in one of those provider subnets? If so this is likely to complicate the process of failover. If the server is using an address assigned by ISP1 and the interface to ISP1 fails and you start sending traffic to ISP2, then what will get ISP2 to route the other provider's address to you?
It might help me to understand what is connected via interface FastEthernet0/0 and what is connected via interface FastEthernet0/1. I suspect part of your problem may be traffic coming into the router on Fast0/0 and going out Dialer 0 which is using the address from the other Ethernet.
I see that the config has three access lists but I am not seeing where the access lists are used and what they are supposed to do.
You describe wanting to steer certain types of traffic to certain interfaces. I assume that you will use Policy Based Routing to do this and have not yet started to configure this?
HTH
Rick
12-20-2005 02:33 PM
Rick,
Yes I have a set of 16 IP addresses from each of the ISP
The watch guard firewall external port is directly connected to Eth00
The watch guard Trusted interface is connected to the ISA server
The watch guard firewall uses one off the ISP public address for all its interfaces
The ISA server used another one of the same ISP public address for one of its interfaces.
The above setup is completely new e.g. new Cisco router, new watchguard and new ISA server. I also have an old watchguard firewall and ISA server. So I connected ETH0/1 to the external interface of the old firewall.
When just THE SDSL was enabled and unnumbered to ETH00 it worked fine. I could access external resources. And as long as the old ADSL line was connected to the old router and firewall it worked ok as well. But when I connected the ADSL line to the CISCO and enabled the interfaces and connected ETH0/1 to the old firewall, then neither of the links would pass data properly. So as you can see I didnt get as far as connecting both links to the same ISA server.
What im after is both ADSL and SDSL connection from the Cisco in a fail over configuration but also allowing me to use the public ip address in a perimeter network. Does the Cisco 1841 router support Nat-t. The ISA server does not need to have public IP address if I can pass the VPN connection across to it. I use L2TP/IPSEC for my client VPN connection.
Or is it possible to use a combination off both NAT and public IP addressing?
Have attach a network topology to help you understand what I have tried to setup. This topology doesnt show the old watchguard or ISA server. But it does show both connection connected to the new firewall box and then to the ISA server.
Jamie
12-20-2005 03:14 PM
Have you condisdered using floating static routes on the edge router?
http://www.cisco.com/en/US/products/ps5853/products_configuration_guide_chapter09186a008045840a.html
http://www.cisco.com/warp/public/123/backup-main.html#floating_static_routes
I would recommend using NAT for your entire site including the ISA & have your firewall filter the content in a 'DMZ' setup.
You may also setup a one-to-one(1 public to one 1 internal NAT'd address) NAT for the ISA if you want(research static NAT/PAT options).
Just some suggestions, I'm new here. Thx
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide