09-17-2006 12:18 AM - edited 03-03-2019 02:01 PM
Hi;
i need to connect my internet router which is in front of PIX firewall to two ISP to achieve :
1) Redundancy
2) Load balance
the NAT is done by PIX, the following IP are taken from the ISP:
ISP1 : 100.100.100.0/24
(serial 100.100.101.0/30)
ISP2 : 200.200.200.0/24
(serial 200.200.201.0/30)
please can you check my configs ?
====================================
ip subnet-zero
!
interface fastEthernet0/0
ip address 100.100.x.x.255.255.0
ip address 200.x0.x.1 255.255.255.0 secondary
!
interface Serial0
description ISP1
ip address 100.100.x.x.255.255.252
interface Serial1
description ISP2
ip address 200.200.x.x.255.255.252
!
ip access-list standard traffic-list
permit 100.100.100.1 0.0.0.255
permit 200.200.200.1 0.0.0.255
!
route-map isp1-map permit 10
match ip address traffic-list
match interface Serial 0
!
route-map isp2-map permit 10
match ip address traffic-list
match interface Serial 1
ip route 0.0.0.0 0.x.x.0 100.100.101.2
ip route 0.0.0.0 0.x.x.0 200.200.201.2
Solved! Go to Solution.
09-19-2006 03:58 AM
Dear;
My issue is a far from DNS or public IPs.
I get 2 internet connections from different ISPs.
I need to configure load balance and redundancy.
I want to Nat my servers :
- few servers using Real IPs from ISP1
- few servers using Real IPs from ISP2
these servers are not requested from outside clients.
assume i have 2 proxy servers.
proxy 1 : 10.10.100.10 (will be natted ISP1)
proxy 2 : 10.10.100.20 (will be natted ISP2)
in normal case both will be work fine:
proxy 1: will be routed to ISP1 serial0
proxy 2: will be routed to ISP2 serial1
but in case ISP1 FAIL??? then proxy1 will be routed to serial1 (ISP2)
but ISP2 will not be able to route ISP1 ip address ??
that's right? absolutely YES.
how can i do a dual NAT for each server
e.g if ISP1 fail those servers who use ISP1-Real-IPs for nat will use ISP2-Real-IPS??
i attched sample config and diagram
can you please see them and advice
Please
Thanks.
09-19-2006 07:56 PM
Thanks for the detail info.
If you have two proxy servers, there should be no issue that you can configure the rule for the servers in both proxy. Proxy1 use ISP1 address for the NAT of group A server and also include the NAT for group B server. But the group B server will not flow to proxy1 in normal case. So the completed NAT w/ ISP1 address is still in proxy1, but only group A server will use it as out-going path.
If ISP1 link down, you may require to disconnect the connection to proxy1 then let all server flow to proxy2 and proxy2 also configured the NAT w/ all servers w/ ISP2 address.
In above case, the proxy will carry the NAT. If the NAT should be carried at Internet routers, you may consider to spread the Internet router to two and enable MHSRP between them. Let the group A of HSRP to support group A server & group B of HSRP to support group B server. If one of the ISP link down, the HSRP will be triggered and the other Internet router will response all the traffic flow. Then you can configure the the NAT for all server at both Internet routers.
In above solution, we don't need policy-based routing and selection of HSRP GW will be the point to select which ISP for Internet traffic.
You can correct that ISP cannot advertise other ISPs' address.
Hope this helps.
09-19-2006 10:50 PM
Dear Sir;
Each ISP in differnt subnet; different class; i can't do HSRP.
main Questions is:
How can i re-cover NAT in case of one of the ISP is failed? to the natted server whom ISP is failed, i need to re-nat the server to the other ISP
Please help;
09-19-2006 11:23 PM
The HSRP is enabled at the LAN side, it is not related to ISP address. You can enable the NAT at the Internet router for out-going. The ISP address will be enabled at the WAN side only and no need to apply to the LAN of the Internet router.
The operation of the proposed design is... if traffic follow HSRP GW then go to Internet router for ISP1, it will use the NAT rule at ISP1 Internet router. The rules in the Internet router will include all servers (both group A & B). But we can based on the HSRP group to let which group to use which ISP as out-going traffic. Therefore, in normal case, each group of server will go to Internet by HSRP GW setting, i.e. only part of the NAT rule hitted. If one of the ISP down, the HSRP will be triggered and let other Internet router to be the GW, then all servers will use the NAT rule in the live Internet router automatically. Due to you pre-configure all NAT rule in both Internet routers but only use part of the rule, so you don't need to re-nat if the ISP down.
Please feel free to advise if there is any question. Hope this helps but you require two Internet router for this solution.
09-20-2006 01:35 AM
Sir;
Thanks; now you get me; but the problem is :I have just one Router; there's no budget to get another.
I have to do the scenario to support :
- Load balance : distribute the natted servers; some use ISP1 IPs, some use ISP2 IPs
- Redundant : if one ISP fail then all natted servers will be re-directed to the second ISP.
my problem is not with load balance nor redundancy.
my problem is in re-NAT the servers which use the faild ISP IP addresses.
Thanks a lot;
09-20-2006 05:34 PM
Sorry for proposing such solution if you cannot prepare dual router.
According to Cisco's doc., the keyword "extendable" will allow two NAT rule w/ same local IP. And you don't need the route-map in NAT. By revised the config. provided from you as below :
e.g.
ip nat inside source static 10.10.100.10 192.168.1.100 extendable
ip nat inside source static 10.10.100.10 192.168.2.100 extendable
ip nat inside source static 10.10.100.20 192.168.1.200 extendable
ip nat inside source static 10.10.100.20 192.168.2.200 extendable
no access-list 1 permit ip 10.10.100.0 0.0.0.255 any
access-list 1 permit ip 10.10.100.20
no route-map isp1 permit 10
interface fe 0/0
ip policy-map isp2
no ip route 0.0.0.0 0.0.0.0 serial 1
ip route 0.0.0.0 0.0.0.0 serial 1 200
I am sorry that I can't verify the config. in router. Let me explain my idea and please check if it work for you.
Configure the static NAT w/ extendable keyword to allow two NAT rules w/ same local IP. Configure the route-map ISP2 for the policy-based rouing. Apply this PBR to the LAN interface, i.e. if the source address is 10.10.100.20 then forward the traffic to serial 1. Otherwise, use the routing table for out-going path. Configure a floating static to prevent the ISP1 down. If ISP1 down, the floating static route will appear in the routing table then all traffic will use serial 1 for out-going path. If the ISP2 down, the PBR will not work and all traffic will flow to serial 0 for out-going.
Could you please try it and advise the result. Please comment if you find any problem.
The original route-map in your config. is for policy-based routing format, it cannot be used for NAT. Check below link for more NAT info.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml
Hope this helps.
09-20-2006 09:51 PM
Thank you for youe effort
I will try this and tell you
Regards
09-26-2006 11:07 AM
Hi;
please can you check my config
ip subnet-zero
!
interface fastEthernet0/0
ip address 10.10.100.1 255.255.255.0
ip nat inside
!
interface Serial0
description ISP1
ip address 192.168.1.100
ip nat outside
interface Serial1
description ISP2
ip address 192.168.2.100
ip nat outside
ip policy route−map isp2-map
!
!−−−------------------- Track Router 1's reachability.
track 123 rtr 1 reachability
!
rtr 1
type echo protocol ipIcmpEcho 192.168.2.100
rtr schedule 1 life forever start−time now
!-----------------------------------------------------
! access list to match SRV1
ip access-list standard traffic-list
Permit 10.10.100.10
!if my source is SRV1 and the destination is !reachable then apply this route map
route-map isp2-map permit 10
match ip address traffic-list
set ip next−hop verify−availability 192.168.2.100 track 123
ip nat inside source static 10.10.100.10 192.168.1.100 extendable
ip nat inside source static 10.10.100.20 192.168.1.100 extendable
ip nat inside source static 10.10.100.20 192.168.2.100 extendable
ip nat inside source static 10.10.100.10 192.168.2.100 extendable
ip route 0.0.0.0 0.0.0.0 serial 0
ip route 0.0.0.0 0.0.0.0 serial 1 220
**************************
*************************
09-26-2006 05:18 PM
The PBR "ip policy route−map isp2-map" should be placed under FE 0/0 instead of s 1. Because you want to examine the traffic from FE 0/0 and redirect it to s 1 if it is 10.10.100.10.
The address under rtr should be the next-hop address instead of local interface address. i.e. 192.168.2.x (the remote direct connected interface address).
e.g.
rtr 1
type echo protocol ipIcmpEcho 192.168.2.x
As similiar as above as, the next-hop IP in route-map should be the remote IP address.
e.g.
route-map isp2-map permit 10
match ip address traffic-list
set ip next−hop verify−availability 192.168.2.x track 123
Please modify it and check again.
Please check below link for the PBR + tracking config. sample.
http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml
Hope this helps.
09-26-2006 11:52 PM
Thanks;
I will try it
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide