10-16-2010 01:25 PM - edited 03-04-2019 10:08 AM
I have been trying to work out how to allow access to a website via https with a failover dsl solution. I have already configured the failover dsl using route-maps and a ip sla track and I now have smtp working on both public IP addresses if the one dsl circuit fails.
What I want to try to do now is be able to have a round robin DNS for a URL like remote.mydomain.com and have this resolve to two public IP addresses, then on the router enabled a static NAT for https from each public ip address to two ip addresses on my web server, this should then allow multiple connections to IIS as I have an ip listening on https for each connection.
The problem is routing now, I can make the static NAT work if I connect on the public ip that is the default route for 0.0.0.0, if I shutdown my ATM0/0/0.1 interface the Dialer0 becomes the default route and I can access the website via the static NAT on the Dialer0 public ip and I know this is because the route to 0.0.0.0 is updated to the interface I am connecting in on.
The question is, how do I enable access from either public IP address so I can provide access to the website, will this need to involve Policy Based Routing so that I can direct traffic out of the dialer0 interface if the traffic originates from this interface?
This is a 1841 router with Advanced Security IOS.
Cheers
Kyle
Solved! Go to Solution.
11-06-2010 08:49 AM
Hi Kyle,
ok so at the moment you have 2 simple "ip nat source static" translating the 2 local addresses to 2 global ones, correct?
If you want the traffic hitting the 2nd global IP to come back through the 2nd interface you can apply a route-map on the inside interface:
access-list N permit <2nd-inside-local-IP>
route-map RM
match ip address N
set ip next-hop <2nd-interface-next-hop>
interface x/y
ip policy route-map RM
hope this helps,
Fabrizio
11-05-2010 04:53 AM
Hi Kyle,
one thing you can do is to source-nat the traffic coming from outside directed to your 2 public IP addresses using 2 different pools. This way you can have the return traffic (from your network to the outside) going out the interface it came from.
hope this helps.
Fabrizio
11-05-2010 05:50 AM
Fabrizio
At present I use two static NAT statements for the access to the web server from the two public IPs, are you suggesting I should use a route map in the NAT statement to match an ACL that states the source interface of the traffic?
If you could show me an example of what you are suggesting I am sure I get this working?
Thanks
Kyle
11-06-2010 08:49 AM
Hi Kyle,
ok so at the moment you have 2 simple "ip nat source static" translating the 2 local addresses to 2 global ones, correct?
If you want the traffic hitting the 2nd global IP to come back through the 2nd interface you can apply a route-map on the inside interface:
access-list N permit <2nd-inside-local-IP>
route-map RM
match ip address N
set ip next-hop <2nd-interface-next-hop>
interface x/y
ip policy route-map RM
hope this helps,
Fabrizio
11-07-2010 09:09 AM
Fabrizio,
Thanks for your help, the route map has done the trick. I added an ACL for the traffic back from my server and then in the route map set the interface to send the traffic out from instead of the next hop as I have a dynamic ip on this circuit. Then I added the static NAT to the secondary inside ip address and the web site works from both public ip addresses.
I shall read up some more on PBR and Route Maps. Thanks for your help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide