03-31-2010 12:59 PM - edited 03-04-2019 07:59 AM
Hi,
I just purchased a cisco 2921 ISR. I want to set it up to be inbetween our switches and our internet connections. I added an extra port to handle the extra connection (so a total of 4).
Our company is setup like this:
T1 - Main internet. (x.x.x.248)
Marketing DSL (x.x.x.251)
Media DSL. (x.x.x.254)
I want to put the isr inbetween the switches and these three wan or isp connections. The two dsl connections are for seperate use by other departments so they don't kill our bandwith. The setup would be to move the internet connectons from our switches to the router. Then have a network cable joining the router to our switches. Then I can do some routing on the traffic.
I don't wan to have to change the IP's of each of the gateways. How can I do this?
I don't want any load balancing, or failover. Just the x.x.x.248 as the route of last resort and have trafic go to the correct isp if they specify x.x.x.251 or x.x.x.254 as the gateway on their pc's.
Thanks in advance.
03-31-2010 02:45 PM
I'm afraid you need to change the gateway on your PCs.
You could run IRB (Integrated Routing and Bridging) if the interface type on the LAN and WAN were Ethernet.
You aren't concerned on protecting the internal devices with NAT and/or iACLs?
Regards
Edison
______
Each time you rate a CSC discussion we'll donate $1 to the American Red Cross Haiti fund up to a maximum donation of $10,000 USD.
04-01-2010 05:16 AM
Thanks for the help. Will this senario work:
Change lan side to the gateway ip (x.x.x.248 ==> currently in use by the ASA on the lan side for the t1).
Change the lan side of the asa to some other subnet and put it on a wan port on the router. Then set that as the route as last option.
Then change the wan IP;s to get the ip from the dsl modems. Then I could, based on the source, route the traffic to either one of these 2 dsl connections.
Then I could setup routing to the other two dsl connections based on the source or the destination?
If I have the 3 isp connections on the wan side, 1 connection to the switches on the lan side, how would it work if users from the marketing department specified a gateway? Would I just intercept it on the router, and redirect it. Or, Would I give the wan inteface a ficticious subnet, and have the users change their gateway to point to it.
Sorry for rambling. I'm new to this and I want to make sure I know what to do.
04-01-2010 06:32 AM
Change lan side to the gateway ip (x.x.x.248 ==> currently in use by the ASA on the lan side for the t1).
Change the lan side of the asa to some other subnet and put it on a wan port on the router. Then set that as the route as last option.
Yes, you need to renumber your LAN port to a private IP address.
All devices on that LAN port will also need to be renumber and the gateway will be the new LAN private IP address on the router.
You will move your public IP address to the respective WAN interface.
The router will have a default gateway pointing to each ISP and you need to implement PBR (as Paolo noted) to influence which ISP the client(s) are going to use.
As you are a newbie, I recommend keeping this process simple and use one ISP as primary while keeping the others as backup. With this design, you don't need to use PBR. All you need to do is configuring a default gateway to the primary ISP and two other 'weighted' default gateways pointing to the backup ISPs.
If I have the 3 isp connections on the wan side, 1 connection to the switches on the lan side, how would it work if users from the marketing department specified a gateway? Would I just intercept it on the router, and redirect it. Or, Would I give the wan inteface a ficticious subnet, and have the users change their gateway to point to it.
To force routing based on source, you need to configure PBR. Again, if you aren't proficient in routing this task can be difficult to deploy. I highly recommend you hire a contracting firm to do this work for you.
Regards
Edison.
03-31-2010 02:46 PM
What you want to do is called "policy routing". Also recommended you move the NAT functionality from other devics to the router.
I recommend you engage a reputable consultant, or certified cisco partner, for this type of work.
04-01-2010 05:08 AM
Thanks for the reply. I do apprecaite you help.
Our T1 is protected by an ASA5505 firewall. Our other DSL will be protected by the firewall on the 2921, or at least it will be once I get the license upgrade from cisco.
04-01-2010 05:17 AM
For normal use, NAT protection on a router is enough. I never seen a case in which security was violated in presence of NAT.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide