cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2040
Views
0
Helpful
24
Replies

Two ISP

w_basheer
Level 1
Level 1

Hi;

i need to connect my internet router which is in front of PIX firewall to two ISP to achieve :

1) Redundancy

2) Load balance

the NAT is done by PIX, the following IP are taken from the ISP:

ISP1 : 100.100.100.0/24

(serial 100.100.101.0/30)

ISP2 : 200.200.200.0/24

(serial 200.200.201.0/30)

please can you check my configs ?

====================================

ip subnet-zero

!

interface fastEthernet0/0

ip address 100.100.x.x.255.255.0

ip address 200.x0.x.1 255.255.255.0 secondary

!

interface Serial0

description ISP1

ip address 100.100.x.x.255.255.252

interface Serial1

description ISP2

ip address 200.200.x.x.255.255.252

!

ip access-list standard traffic-list

permit 100.100.100.1 0.0.0.255

permit 200.200.200.1 0.0.0.255

!

route-map isp1-map permit 10

match ip address traffic-list

match interface Serial 0

!

route-map isp2-map permit 10

match ip address traffic-list

match interface Serial 1

ip route 0.0.0.0 0.x.x.0 100.100.101.2

ip route 0.0.0.0 0.x.x.0 200.200.201.2

24 Replies 24

Dear;

My issue is a far from DNS or public IPs.

I get 2 internet connections from different ISPs.

I need to configure load balance and redundancy.

I want to Nat my servers :

- few servers using Real IPs from ISP1

- few servers using Real IPs from ISP2

these servers are not requested from outside clients.

assume i have 2 proxy servers.

proxy 1 : 10.10.100.10 (will be natted ISP1)

proxy 2 : 10.10.100.20 (will be natted ISP2)

in normal case both will be work fine:

proxy 1: will be routed to ISP1 serial0

proxy 2: will be routed to ISP2 serial1

but in case ISP1 FAIL??? then proxy1 will be routed to serial1 (ISP2)

but ISP2 will not be able to route ISP1 ip address ??

that's right? absolutely YES.

how can i do a dual NAT for each server

e.g if ISP1 fail those servers who use ISP1-Real-IPs for nat will use ISP2-Real-IPS??

i attched sample config and diagram

can you please see them and advice

Please

Thanks.

Thanks for the detail info.

If you have two proxy servers, there should be no issue that you can configure the rule for the servers in both proxy. Proxy1 use ISP1 address for the NAT of group A server and also include the NAT for group B server. But the group B server will not flow to proxy1 in normal case. So the completed NAT w/ ISP1 address is still in proxy1, but only group A server will use it as out-going path.

If ISP1 link down, you may require to disconnect the connection to proxy1 then let all server flow to proxy2 and proxy2 also configured the NAT w/ all servers w/ ISP2 address.

In above case, the proxy will carry the NAT. If the NAT should be carried at Internet routers, you may consider to spread the Internet router to two and enable MHSRP between them. Let the group A of HSRP to support group A server & group B of HSRP to support group B server. If one of the ISP link down, the HSRP will be triggered and the other Internet router will response all the traffic flow. Then you can configure the the NAT for all server at both Internet routers.

In above solution, we don't need policy-based routing and selection of HSRP GW will be the point to select which ISP for Internet traffic.

You can correct that ISP cannot advertise other ISPs' address.

Hope this helps.

Dear Sir;

Each ISP in differnt subnet; different class; i can't do HSRP.

main Questions is:

How can i re-cover NAT in case of one of the ISP is failed? to the natted server whom ISP is failed, i need to re-nat the server to the other ISP

Please help;

The HSRP is enabled at the LAN side, it is not related to ISP address. You can enable the NAT at the Internet router for out-going. The ISP address will be enabled at the WAN side only and no need to apply to the LAN of the Internet router.

The operation of the proposed design is... if traffic follow HSRP GW then go to Internet router for ISP1, it will use the NAT rule at ISP1 Internet router. The rules in the Internet router will include all servers (both group A & B). But we can based on the HSRP group to let which group to use which ISP as out-going traffic. Therefore, in normal case, each group of server will go to Internet by HSRP GW setting, i.e. only part of the NAT rule hitted. If one of the ISP down, the HSRP will be triggered and let other Internet router to be the GW, then all servers will use the NAT rule in the live Internet router automatically. Due to you pre-configure all NAT rule in both Internet routers but only use part of the rule, so you don't need to re-nat if the ISP down.

Please feel free to advise if there is any question. Hope this helps but you require two Internet router for this solution.

Sir;

Thanks; now you get me; but the problem is :I have just one Router; there's no budget to get another.

I have to do the scenario to support :

- Load balance : distribute the natted servers; some use ISP1 IPs, some use ISP2 IPs

- Redundant : if one ISP fail then all natted servers will be re-directed to the second ISP.

my problem is not with load balance nor redundancy.

my problem is in re-NAT the servers which use the faild ISP IP addresses.

Thanks a lot;

Sorry for proposing such solution if you cannot prepare dual router.

According to Cisco's doc., the keyword "extendable" will allow two NAT rule w/ same local IP. And you don't need the route-map in NAT. By revised the config. provided from you as below :

e.g.

ip nat inside source static 10.10.100.10 192.168.1.100 extendable

ip nat inside source static 10.10.100.10 192.168.2.100 extendable

ip nat inside source static 10.10.100.20 192.168.1.200 extendable

ip nat inside source static 10.10.100.20 192.168.2.200 extendable

no access-list 1 permit ip 10.10.100.0 0.0.0.255 any

access-list 1 permit ip 10.10.100.20

no route-map isp1 permit 10

interface fe 0/0

ip policy-map isp2

no ip route 0.0.0.0 0.0.0.0 serial 1

ip route 0.0.0.0 0.0.0.0 serial 1 200

I am sorry that I can't verify the config. in router. Let me explain my idea and please check if it work for you.

Configure the static NAT w/ extendable keyword to allow two NAT rules w/ same local IP. Configure the route-map ISP2 for the policy-based rouing. Apply this PBR to the LAN interface, i.e. if the source address is 10.10.100.20 then forward the traffic to serial 1. Otherwise, use the routing table for out-going path. Configure a floating static to prevent the ISP1 down. If ISP1 down, the floating static route will appear in the routing table then all traffic will use serial 1 for out-going path. If the ISP2 down, the PBR will not work and all traffic will flow to serial 0 for out-going.

Could you please try it and advise the result. Please comment if you find any problem.

The original route-map in your config. is for policy-based routing format, it cannot be used for NAT. Check below link for more NAT info.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml

Hope this helps.

Thank you for youe effort

I will try this and tell you

Regards

Hi;

please can you check my config

ip subnet-zero

!

interface fastEthernet0/0

ip address 10.10.100.1 255.255.255.0

ip nat inside

!

interface Serial0

description ISP1

ip address 192.168.1.100

ip nat outside

interface Serial1

description ISP2

ip address 192.168.2.100

ip nat outside

ip policy route−map isp2-map

!

!−−−------------------- Track Router 1's reachability.

track 123 rtr 1 reachability

!

rtr 1

type echo protocol ipIcmpEcho 192.168.2.100

rtr schedule 1 life forever start−time now

!-----------------------------------------------------

! access list to match SRV1

ip access-list standard traffic-list

Permit 10.10.100.10

!if my source is SRV1 and the destination is !reachable then apply this route map

route-map isp2-map permit 10

match ip address traffic-list

set ip next−hop verify−availability 192.168.2.100 track 123

ip nat inside source static 10.10.100.10 192.168.1.100 extendable

ip nat inside source static 10.10.100.20 192.168.1.100 extendable

ip nat inside source static 10.10.100.20 192.168.2.100 extendable

ip nat inside source static 10.10.100.10 192.168.2.100 extendable

ip route 0.0.0.0 0.0.0.0 serial 0

ip route 0.0.0.0 0.0.0.0 serial 1 220

**************************

*************************

The PBR "ip policy route−map isp2-map" should be placed under FE 0/0 instead of s 1. Because you want to examine the traffic from FE 0/0 and redirect it to s 1 if it is 10.10.100.10.

The address under rtr should be the next-hop address instead of local interface address. i.e. 192.168.2.x (the remote direct connected interface address).

e.g.

rtr 1

type echo protocol ipIcmpEcho 192.168.2.x

As similiar as above as, the next-hop IP in route-map should be the remote IP address.

e.g.

route-map isp2-map permit 10

match ip address traffic-list

set ip next−hop verify−availability 192.168.2.x track 123

Please modify it and check again.

Please check below link for the PBR + tracking config. sample.

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

Hope this helps.

Thanks;

I will try it