I would like to be able to use 2 ISPs to route inbound traffic to a single internal web server on a private IP. I’m using a 2800 series router with 2 ethernet ports. In the event that either ISP is down, this setup will allow for quick (and scriptable) failover via changes to public DNS.
example static IP address for ISP1: 173.x.x.226 (gateway address ending in .238)
example static IP address for ISP2: 69.x.x.196 (gateway address ending in .193)
example internal IP: 10.0.1.9
here are some relevant parts of the running configuration
/* I’m using static mappings like these: */
ip nat inside source static tcp 10.0.1.9 80 173.x.x.226 80 extendable
ip nat inside source static tcp 10.0.1.9 81 69.x.x.196 80 extendable
/* two ethernet interfaces */
interface FastEthernet0/0
description FastEthernet to LAN
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip route-cache flow
ip policy route-map isp-egress-map
no ip mroute-cache
load-interval 30
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description FastEthernet to ISP1 and to ISP2
ip address 173.x.x.237 255.255.255.240 secondary
ip address 69.x.x.194 255.255.255.248
ip nat outside
ip route-cache flow
no ip mroute-cache
load-interval 30
duplex auto
speed auto
/* two default routes with the faster ISP using the lower metric: */
ip route 0.0.0.0 0.0.0.0 69.x.x.193 10
ip route 0.0.0.0 0.0.0.0 173.x.x.238 11
/* an ACL */
access-list 196 permit ip host 10.0.1.9 any
route-map isp-egress-map permit 10
match ip address 196
set ip next-hop 69.x.x.196
–or– (not both route-maps at once, since they share a common ACL)
route-map isp-egress-map permit 10
match ip address 196
set ip next-hop 173.x.x.238
This configuration works for only one of the ISPs, depending on which version of the above route-map I use. Since the internal server is always at 10.0.1.9, I’m not sure how to differentiate which ISP to route the outbound traffic to. Clearly using the inside IP is not working since it’s always the same.
I’ve tried applying a modified version of this route-map on the inbound interface fe0/1, and used the outside address rather than the private address to do my matching against. This appears to fail as well, probably since NATing happens before ip policy routing in (according to Cisco’s NAT order of operations on outside-to-inside traffic).
Any help will appreciated.
I would like to be able to use 2 ISPs to route inbound traffic to a single internal web server on a private IP. I’m using a 2800 series router with 2 ethernet ports. In the event that either ISP is down, this setup will allow for quick (and scriptable) failover via changes to public DNS.
example static IP address for ISP1: 173.x.x.226 (gateway address ending in .238)
example static IP address for ISP2: 69.x.x.196 (gateway address ending in .193)
example internal IP: 10.0.1.9
here are some relevant parts of the running configuration
/* I’m using static mappings like these: */
ip nat inside source static tcp 10.0.1.9 80 173.x.x.226 80 extendable
ip nat inside source static tcp 10.0.1.9 81 69.x.x.196 80 extendable
/* two ethernet interfaces */
interface FastEthernet0/0
description FastEthernet to LAN
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip route-cache flow
ip policy route-map isp-egress-map
no ip mroute-cache
load-interval 30
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description FastEthernet to ISP1 and to ISP2
ip address 173.x.x.237 255.255.255.240 secondary
ip address 69.x.x.194 255.255.255.248
ip nat outside
ip route-cache flow
no ip mroute-cache
load-interval 30
duplex auto
speed auto
/* two default routes with the faster ISP using the lower metric: */
ip route 0.0.0.0 0.0.0.0 69.x.x.193 10
ip route 0.0.0.0 0.0.0.0 173.x.x.238 11
/* an ACL */
access-list 196 permit ip host 10.0.1.9 any
route-map isp-egress-map permit 10
match ip address 196
set ip next-hop 69.x.x.196
–or– (not both route-maps at once, since they share a common ACL)
route-map isp-egress-map permit 10
match ip address 196
set ip next-hop 173.x.x.238
This configuration works for only one of the ISPs, depending on which version of the above route-map I use. Since the internal server is always at 10.0.1.9, I’m not sure how to differentiate which ISP to route the outbound traffic to. Clearly using the inside IP is not working since it’s always the same.I’ve tried applying a modified version of this route-map on the inbound interface fe0/1, and used the outside address rather than the private address to do my matching against. This appears to fail as well, probably since NATing happens before ip policy routing in (according to Cisco’s NAT order of operations on outside-to-inside traffic).Any help will appreciated.
Tagged as:
cache flow,
DNS,
NAT,
Two ISPs to a single inside server on 2800 series router
{ 2 comments… read them below or add one }
what’s is the reason of having two redundant ISP links and you configure both of them under one interface ?
its beter to configure them under two diffrent interfaces
then you can have more controlled and redundant links
see the bellow link if you gonna configure two link then will help you
https://supportforums.cisco.com/docs/DOC-8313
good luck
Thanks for the reply. Shortly after my post, I gave up on my original approach and went with two different interfaces (like you’ve suggested). In fact I didn’t even need to run two interfaces, but rather just two different IPs (on different private subnets) to each server interface where I need redundant internet connections. This also required adding a secondary address to the LAN interface on the Cisco and a few new static NAT entries. With this setup, I’ve got plenty of flexibility on route-maps, and can set the next-hop based on the (now) unique internal IPs.
You must log in to post a comment.