Rick,

Thank you for getting back to me so quickly. I have saved the running config and access control list as txt files for you to look at.

Maybe if I tell you what im trying to achieve will help:

We already had an exiting ADSL line that was our main source off internet connectivity that rain from a cheap adsl router. Now that our company has grown and our users as well we need more bandwidth. So done some research and installed a SDSL line to go along side the ADSL line.

I wanted to offer the network with some fault tolerance and purchase the 1841 router to host both ADSL and SDSL connection. I wanted to configure the router to fail over to the other connection if one should fail. I was not really interested at load balancing at this stage. One off the other feature I wanted to-do is control what type of traffic was allowed outbound on the connection. E.g. we want to use ftp, RDP on the SDSP because it used the upload bandwidth and HTTP on the ADSL connection for the download bandwidth.

The Cisco router directly connects to a Watch guard firewall configured on drop mode. On the otherend of the watch guard we have an ISA 2004 server that acts as our VPN and router with all the bells and whistles. “Well nearly”. As with this configuration it’s important for our ISA server to have public ip address so our secure L2TP/IPSEC VPN connection connected with having to go throw NAT.

But if I enabled both off the WAN connection then its seams to knock both of them out.

Would the ISA server need a public IP address from both of the ISPs to support fail over?

I hope this gives you a clearer picture.

Jamie

Jamie

I have looked at the config and I have a couple of questions and observations. Am I correct in assuming that the firewall and the ISA server are "inside" the 1841 and connected to the Ethernets? Are they connected to one Ethernet or to both?

Am I correct is assuming that the IP subnets are address space that was assigned to you by each of the ISPs? And am I correct in assuming that the ISA server has an IP address in one of those provider subnets? If so this is likely to complicate the process of failover. If the server is using an address assigned by ISP1 and the interface to ISP1 fails and you start sending traffic to ISP2, then what will get ISP2 to route the other provider's address to you?

It might help me to understand what is connected via interface FastEthernet0/0 and what is connected via interface FastEthernet0/1. I suspect part of your problem may be traffic coming into the router on Fast0/0 and going out Dialer 0 which is using the address from the other Ethernet.

I see that the config has three access lists but I am not seeing where the access lists are used and what they are supposed to do.

You describe wanting to steer certain types of traffic to certain interfaces. I assume that you will use Policy Based Routing to do this and have not yet started to configure this?

HTH

Rick

Rick,

Yes I have a set of 16 IP addresses from each of the ISP

The watch guard firewall external port is directly connected to Eth00

The watch guard Trusted interface is connected to the ISA server

The watch guard firewall uses one off the ISP public address for all its interfaces

The ISA server used another one of the same ISP public address for one of its interfaces.

The above setup is completely new e.g. new Cisco router, new watchguard and new ISA server. I also have an old watchguard firewall and ISA server. So I connected ETH0/1 to the external interface of the old firewall.

When just THE SDSL was enabled and unnumbered to ETH00 it worked fine. I could access external resources. And as long as the old ADSL line was connected to the old router and firewall it worked ok as well. But when I connected the ADSL line to the CISCO and enabled the interfaces and connected ETH0/1 to the old firewall, then neither of the links would pass data properly. So as you can see I didn’t get as far as connecting both links to the same ISA server.

What im after is both ADSL and SDSL connection from the Cisco in a fail over configuration but also allowing me to use the public ip address in a perimeter network. Does the Cisco 1841 router support Nat-t. The ISA server does not need to have public IP address if I can pass the VPN connection across to it. I use L2TP/IPSEC for my client VPN connection.

Or is it possible to use a combination off both NAT and public IP addressing?

Have attach a network topology to help you understand what I have tried to setup. This topology doesn’t show the old watchguard or ISA server. But it does show both connection connected to the new firewall box and then to the ISA server.

Jamie

Have you condisdered using floating static routes on the edge router?

http://www.cisco.com/en/US/products/ps5853/products_configuration_guide_chapter09186a008045840a.html

http://www.cisco.com/warp/public/123/backup-main.html#floating_static_routes

I would recommend using NAT for your entire site including the ISA & have your firewall filter the content in a 'DMZ' setup.

You may also setup a one-to-one(1 public to one 1 internal NAT'd address) NAT for the ISA if you want(research static NAT/PAT options).

Just some suggestions, I'm new here. Thx