Can I use PBR to get traffic to flow from two ISPs to a single host inside a PIX without BGP?

Here is the general scenario. (the IPs have been changed to protect the guilty)

I have two ISPs. In want all outbound traffic going through ISP A. I have a server I want published on ISP A. I also want the server published on ISP B. I have a router in front of the pix with three interfaces to do policy based routing. I have a small block of Ips from each ISP /29. Can I do this without doing double nat (once on the router and once on the PIX)? Is there another way to do this without adding hardware?

ISPA 1.1.1.1        ISPB 2.2.2.2
      |                         |
      |                         |
       Router doing PBR
             10.1.1.1
                  |
                  |
                PIX
                  |
                  |
   Published server 172.26.1.1


 
theedgeheadAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

td_milesCommented:
It sounds like you are wanting redundant routing via two ISP's but on the cheap. The way you would usually do this is to get an autonomous block of IP addresses allocated to you (usually minimum of Class C) then get yourself two ISP's and advertise this address space with both of them, so that they could route it to you. You would then setup a dynamic routing protocol to route it via whichever ISP you wanted with load balancing/redundancy as you see fit.

What you are suggesting is not possible, you cannot NAT the same internal address to two seperate public addresses, NAT just doesn't work that way.

An alternative might be to give your published server two seperate IP addresses. You could then NAT one to the IP address of ISP A and the other to the IP address of ISP B.

As you are wanting to have two different published addresses for your server, how are you going to use both addresses ? Are you going to use round-robin DNS ? If so, then half of your traffic will come/go over each of your two ISP's (assuming an even 50/50 split by the DNS, which is what it should do).

Maybe a better explanation of what you are trying to achieve might help ?
0
theedgeheadAuthor Commented:
We are actually doing this with the hardware we have now. It's old and we were looking at replacing it but I'm finding we cannot do so easily and keep the same functionality. We have an Instant Internet from Bay Networks with a T1 interface and two Ethernet. We have an ISP on the T1 and one of the Ethernet. It actually allows us to Nat in to the same host from each outside connection. We have mail, web, and VPN servers running on the inside as well as our public DNS server.

I am now faced with duplicating this with a PIX but have not found a good way to do it with a single PIX. I know I can use policy based routing to manage outbound traffic and I think I can do that with one router that has three interfaces in front of the firewall. I was not sure I could do the same with inbound. I thought perhaps I could do a one to one NAT in the router and then NAT at the PIX but the PIX will not let me Nat two outside IPs to one internal. I suppose I could assign a second ip to the internal server?
0
td_milesCommented:
OK, I should been more specific (instead of blunt, my apologies), I meant that a PIX won't let you do that. As an example from a PIX:

fw1(config)# static (inside,outside) x.y.144.34 192.168.1.34
fw1(config)# static (inside,outside) x.y.144.36 192.168.1.34
ERROR: static overlaps with x.y.144.34 to 192.168.1.34

You'd have to look for another piece of hardware (ie. something similar to what you have) that does support mulithomed-NAT if you want to do it with a single IP on the the internal server.


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
epylkoCommented:
Why don't you not nat the 172.26.1.1 address on your PIX? That way you won't do your double nat.

-Eric
0
theedgeheadAuthor Commented:
Wouldn't I still have the problem of a single ip on the internal server? I would still have to make a conduit of some kind.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.