Solved

Can I use PBR to get traffic to flow from two ISPs to a single host  inside a PIX without BGP?

Posted on 2003-11-05
5
384 Views
Last Modified: 2010-04-17
Here is the general scenario. (the IPs have been changed to protect the guilty)

I have two ISPs. In want all outbound traffic going through ISP A. I have a server I want published on ISP A. I also want the server published on ISP B. I have a router in front of the pix with three interfaces to do policy based routing. I have a small block of Ips from each ISP /29. Can I do this without doing double nat (once on the router and once on the PIX)? Is there another way to do this without adding hardware?

ISPA 1.1.1.1        ISPB 2.2.2.2
      |                         |
      |                         |
       Router doing PBR
             10.1.1.1
                  |
                  |
                PIX
                  |
                  |
   Published server 172.26.1.1


 
0
Comment
Question by:theedgehead
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 13

Expert Comment

by:td_miles
ID: 9692431
It sounds like you are wanting redundant routing via two ISP's but on the cheap. The way you would usually do this is to get an autonomous block of IP addresses allocated to you (usually minimum of Class C) then get yourself two ISP's and advertise this address space with both of them, so that they could route it to you. You would then setup a dynamic routing protocol to route it via whichever ISP you wanted with load balancing/redundancy as you see fit.

What you are suggesting is not possible, you cannot NAT the same internal address to two seperate public addresses, NAT just doesn't work that way.

An alternative might be to give your published server two seperate IP addresses. You could then NAT one to the IP address of ISP A and the other to the IP address of ISP B.

As you are wanting to have two different published addresses for your server, how are you going to use both addresses ? Are you going to use round-robin DNS ? If so, then half of your traffic will come/go over each of your two ISP's (assuming an even 50/50 split by the DNS, which is what it should do).

Maybe a better explanation of what you are trying to achieve might help ?
0
 

Author Comment

by:theedgehead
ID: 9694156
We are actually doing this with the hardware we have now. It's old and we were looking at replacing it but I'm finding we cannot do so easily and keep the same functionality. We have an Instant Internet from Bay Networks with a T1 interface and two Ethernet. We have an ISP on the T1 and one of the Ethernet. It actually allows us to Nat in to the same host from each outside connection. We have mail, web, and VPN servers running on the inside as well as our public DNS server.

I am now faced with duplicating this with a PIX but have not found a good way to do it with a single PIX. I know I can use policy based routing to manage outbound traffic and I think I can do that with one router that has three interfaces in front of the firewall. I was not sure I could do the same with inbound. I thought perhaps I could do a one to one NAT in the router and then NAT at the PIX but the PIX will not let me Nat two outside IPs to one internal. I suppose I could assign a second ip to the internal server?
0
 
LVL 13

Accepted Solution

by:
td_miles earned 500 total points
ID: 9697265
OK, I should been more specific (instead of blunt, my apologies), I meant that a PIX won't let you do that. As an example from a PIX:

fw1(config)# static (inside,outside) x.y.144.34 192.168.1.34
fw1(config)# static (inside,outside) x.y.144.36 192.168.1.34
ERROR: static overlaps with x.y.144.34 to 192.168.1.34

You'd have to look for another piece of hardware (ie. something similar to what you have) that does support mulithomed-NAT if you want to do it with a single IP on the the internal server.


0
 
LVL 5

Expert Comment

by:epylko
ID: 9699881
Why don't you not nat the 172.26.1.1 address on your PIX? That way you won't do your double nat.

-Eric
0
 

Author Comment

by:theedgehead
ID: 9703768
Wouldn't I still have the problem of a single ip on the internal server? I would still have to make a conduit of some kind.
0

Featured Post

Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question