Solved

Can I use PBR to get traffic to flow from two ISPs to a single host  inside a PIX without BGP?

Posted on 2003-11-05
5
378 Views
Last Modified: 2010-04-17
Here is the general scenario. (the IPs have been changed to protect the guilty)

I have two ISPs. In want all outbound traffic going through ISP A. I have a server I want published on ISP A. I also want the server published on ISP B. I have a router in front of the pix with three interfaces to do policy based routing. I have a small block of Ips from each ISP /29. Can I do this without doing double nat (once on the router and once on the PIX)? Is there another way to do this without adding hardware?

ISPA 1.1.1.1        ISPB 2.2.2.2
      |                         |
      |                         |
       Router doing PBR
             10.1.1.1
                  |
                  |
                PIX
                  |
                  |
   Published server 172.26.1.1


 
0
Comment
Question by:theedgehead
  • 2
  • 2
5 Comments
 
LVL 13

Expert Comment

by:td_miles
ID: 9692431
It sounds like you are wanting redundant routing via two ISP's but on the cheap. The way you would usually do this is to get an autonomous block of IP addresses allocated to you (usually minimum of Class C) then get yourself two ISP's and advertise this address space with both of them, so that they could route it to you. You would then setup a dynamic routing protocol to route it via whichever ISP you wanted with load balancing/redundancy as you see fit.

What you are suggesting is not possible, you cannot NAT the same internal address to two seperate public addresses, NAT just doesn't work that way.

An alternative might be to give your published server two seperate IP addresses. You could then NAT one to the IP address of ISP A and the other to the IP address of ISP B.

As you are wanting to have two different published addresses for your server, how are you going to use both addresses ? Are you going to use round-robin DNS ? If so, then half of your traffic will come/go over each of your two ISP's (assuming an even 50/50 split by the DNS, which is what it should do).

Maybe a better explanation of what you are trying to achieve might help ?
0
 

Author Comment

by:theedgehead
ID: 9694156
We are actually doing this with the hardware we have now. It's old and we were looking at replacing it but I'm finding we cannot do so easily and keep the same functionality. We have an Instant Internet from Bay Networks with a T1 interface and two Ethernet. We have an ISP on the T1 and one of the Ethernet. It actually allows us to Nat in to the same host from each outside connection. We have mail, web, and VPN servers running on the inside as well as our public DNS server.

I am now faced with duplicating this with a PIX but have not found a good way to do it with a single PIX. I know I can use policy based routing to manage outbound traffic and I think I can do that with one router that has three interfaces in front of the firewall. I was not sure I could do the same with inbound. I thought perhaps I could do a one to one NAT in the router and then NAT at the PIX but the PIX will not let me Nat two outside IPs to one internal. I suppose I could assign a second ip to the internal server?
0
 
LVL 13

Accepted Solution

by:
td_miles earned 500 total points
ID: 9697265
OK, I should been more specific (instead of blunt, my apologies), I meant that a PIX won't let you do that. As an example from a PIX:

fw1(config)# static (inside,outside) x.y.144.34 192.168.1.34
fw1(config)# static (inside,outside) x.y.144.36 192.168.1.34
ERROR: static overlaps with x.y.144.34 to 192.168.1.34

You'd have to look for another piece of hardware (ie. something similar to what you have) that does support mulithomed-NAT if you want to do it with a single IP on the the internal server.


0
 
LVL 5

Expert Comment

by:epylko
ID: 9699881
Why don't you not nat the 172.26.1.1 address on your PIX? That way you won't do your double nat.

-Eric
0
 

Author Comment

by:theedgehead
ID: 9703768
Wouldn't I still have the problem of a single ip on the internal server? I would still have to make a conduit of some kind.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now