11-02-2006 07:15 AM - edited 03-03-2019 02:33 PM
I have tried this configuration in a small lab environment and it was working fine. The
web server was running at 192.168.200.2 address.
Planning to try this at my customers site, but I do not know if there will
be problems with DNS or something else. Does anybody has any experience with this configuration?
In this scenario our customer already has internet connection to ISP1 with static addresses 192.168.200.0/24 and services available for internet users on those addresses.
Customer purchases another internet connection from ISP2 with set of
addresses 192.168.210.0/24. There should not be BGP or any other dynamic
routing protocol running.
The configuration of 1841 router was:
interface FastEthernet0/0
description inside interface
ip address 192.168.200.1 255.255.255.0
ip nat outside
!
interface FastEthernet0/1
description to ISP2
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Serial0/0/0
description to ISP1
ip address 192.168.2.1 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.2
ip route 0.0.0.0 0.0.0.0 192.168.1.2 200
!
ip nat outside source static 192.168.200.2 192.168.210.2 extendable add-route
!
11-02-2006 07:27 AM
You can't have an interface for ISP connection as inside. That should be your outside interface for NAT. You would also need some mechanism to send traffic to two interfaces, if you want to use both ISPs simultaneously.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091c8a.shtml
Thanks.
11-02-2006 09:20 AM
Why not?
I have tried "ip nat inside source static" on inside interface as "ip nat inside" and there was problem. The traffic with dst address 192.168.210.2 was returned through serial interface with wrong source address. But with "ip nat outside source static" and "ip nat outside" on inside interface the returning traffic was properly routed to ISP2 with source address 192.168.210.2, according to http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml. The customer would register one more domain as backup and hopefully both dst addresses would be used simultaneously. Further, outbound traffic could be load balanced through policy routing.
Right now I am concerned about DNS and if somebody have suggestions, please reply.
Thanks.
02-15-2010 03:07 AM
Sorry. Thought I have updated this topic. It is working fine since 2006.
If anybody is interested in multihoming here is the router configuration.
The router is 1841 with c1841-advsecurityk9-mz.124-23 IOS
...
ip sla monitor 1
type echo protocol ipIcmpEcho ISP2.Interf.address.29
ip sla monitor schedule 1 life forever start-time now
...
track 123 rtr 1 reachability
delay down 30 up 60
...
interface FastEthernet0/0
description inside interface
ip address ISP1.Scope.address.17 255.255.255.240
ip nat outside
ip route-cache policy
ip policy route-map to_ISP2
!
interface FastEthernet0/1
description to ISP2
ip address ISP2.Interf.address.30 255.255.255.252
ip nat inside
!
interface Serial0/0/0
description to ISP1
ip address ISP1.Interf.addess.106 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 0.0.0.0 0.0.0.0 ISP2.Interf.address.29 200
...
ip nat outside source static ISP1.Scope.address.18 ISP2.Scope.address.168 extendable add-route
ip nat outside source static ISP1.Scope.address.19 ISP2.Scope.address.169 extendable add-route
ip nat outside source static ISP1.Scope.address.21 ISP2.Scope.address.171 extendable add-route
ip nat outside source static ISP1.Scope.address.22 ISP2.Scope.address.172 extendable no-payload add-route
ip nat outside source static ISP1.Scope.address.24 ISP2.Scope.address.174 extendable add-route
ip nat outside source static ISP1.Scope.address.25 ISP2.Scope.address.175 extendable add-route
ip nat outside source static ISP1.Scope.address.26 ISP2.Scope.address.176 extendable add-route
ip nat outside source static ISP1.Scope.address.27 ISP2.Scope.address.177 extendable no-payload add-route
ip nat outside source static ISP1.Scope.address.28 ISP2.Scope.address.178 extendable add-route
ip nat outside source static ISP1.Scope.address.29 ISP2.Scope.address.179 extendable no-payload add-route
ip nat outside source static ISP1.Scope.address.30 ISP2.Scope.address.180 extendable add-route
...
access-list 199 remark deny sends to ISP1 permit sends to ISP2
access-list 199 remark DNS to ISP1
access-list 199 deny ip any host ISP1.DNS.server.1
access-list 199 deny ip any host ISP1.DNS.server.2
access-list 199 permit ip host ISP1.Scope.address.22 any
access-list 199 permit ip host ISP1.Scope.address.30 any
access-list 199 permit ip host ISP2.Scope.address.172 any
access-list 199 permit ip host ISP2.Scope.address.166 any
access-list 199 permit ip host ISP2.Scope.address.168 any
access-list 199 permit ip host ISP2.Scope.address.169 any
access-list 199 permit ip host ISP2.Scope.address.171 any
access-list 199 permit ip host ISP2.Scope.address.174 any
access-list 199 permit ip host ISP2.Scope.address.175 any
access-list 199 permit ip host ISP2.Scope.address.176 any
access-list 199 permit ip host ISP2.Scope.address.177 any
access-list 199 permit ip host ISP2.Scope.address.178 any
access-list 199 permit ip host ISP2.Scope.address.179 any
access-list 199 permit ip host ISP2.Scope.address.180 any
route-map to_ISP2 permit 10
match ip address 199
set ip next-hop verify-availability ISP2.Interf.address.29 10 track 123
Here is ASA configuration.
interface Ethernet0/0
nameif outside
security-level 0
ip address ISP1.Scope.address.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address asa-inside 255.255.255.0
!
interface Ethernet0/2
description DMZ
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
access-list outside_access_in extended permit tcp any host ISP1.Scope.address.25 eq www
access-list outside_access_in extended permit tcp any host ISP1.Scope.address.25 eq https
access-list outside_access_in extended permit tcp any host ISP1.Scope.address.26 eq www
access-list outside_access_in extended permit tcp any host ISP1.Scope.address.27 eq smtp
access-list outside_access_in extended permit tcp any host ISP1.Scope.address.27 eq www
access-list outside_access_in extended permit tcp any host ISP1.Scope.address.27 eq https
global (outside) 1 ISP1.Scope.address.22 netmask 255.0.0.0
nat (inside) 1 access-list inside_nat_outbound_1
static (DMZ,outside) ISP1.Scope.address.25 site1.com netmask 255.255.255.255 tcp 0 100
static (DMZ,outside) ISP1.Scope.address.26 site2.com netmask 255.255.255.255 tcp 0 100
static (DMZ,outside) ISP1.Scope.address.27 site3.com netmask 255.255.255.255 tcp 0 100
route outside 0.0.0.0 0.0.0.0 ISP1.Scope.address.17
How it works?
Incoming traffic:
Packet with destination address ISP1.Scope.address.25 is coming through ISP1,
because this address is from ISP1 scope, and thru Serial0/0/0 and
firewall to the server 192.168.2.25. Source address of the replaying packet
from the server is translated on firewall from 192.168.2.25 to
ISP1.Scope.address.25 and routed to router. Because on the router inside
interface is "ip nat outside" the router first checks NAT table.
And because there is no NAT record matching that packet and there is no maching
permit statement in 199 ACL, the router uses default route and send
it to ISP1 thru Serial0/0/0. All subsequent packets in that connection will use same path.
Packet with destination address ISP2.Scope.address.175 is coming through ISP2
on FastEthernet0/1. On that interface is "ip nat inside" and router still
do not have route to ISP2.Scope.address.175. Because of "ip nat outside source
static ISP1.Scope.address.25 ISP2.Scope.address.175 extendable add-route"
the router dynamically creates related records in NAT and routing tables.
The router translates packet destination address from
ISP2.Scope.address.175 to ISP1.Scope.address.25 and routes it to firewall.
Source address of the returning packet from server is translated on firewall again
from 192.168.2.25 to ISP1.Scope.address.25 and routed to router
inside interface.
Because on the router inside interface is "ip nat outside" the router first checks
NAT table. This time there is matching NAT record. The source
address is translated again from ISP1.Scope.address.25 to ISP2.Scope.address.175
and packet is sent to FastEthernet0/1 regardless of PBR or default route.
All subsequent packets in this connection will use same path.
Outgoing traffic:
Which path the outgoing traffic will prefer is determinated by PBR ACL 199.
If preferred interface is down outgoing traffic will use another
interface/ISP.
It is necessary to add the new addresses in the DNS records for those sites.
The records contain two addresses; one from ISP1 and one from ISP2 scope.
Hope this was useful. Try it and good luck!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide