Solved

PIX outside interface with two ISP's, policy based routing and full redundancy? Can this be done?

Posted on 2004-03-22
9
1,751 Views
Last Modified: 2010-05-18
Hi,

I've got the following scenario:

My Pix 515 outside interface is connected to a switch, on which I have two routers, each going to a different ISP.  Lets call them ISP1 and ISP2.

ISP 1 is for all traffic except mail, ISP 2 is only for mail.

The two ISP routers run HSRP, the default route on the PIX is pointing to that HSRP IP.

On the ISP1 router I have installed policy based routing, which sets the next hop for all traffic comming from the mail server (which is situated inside the DMZ2) to the ISP2 router.

The mail server is in DMZ2, the Web Server is in DMZ1.

I am using static translations for the Mail and Web server to translate them into the private address space of the outside, and then again NAT on the IPS 1 and ISP 2 router to translate the addresses to their public addresses, visable on the net.

I have a problem now creating a full redundant scenario:

If ISP 1 router fails,  no problem, all traffic will be directed from the PIX to the HSRP address and ISP 2 router takes over and all traffic will go via ISP 2 router.  
If the IPS 1 service provider or line fails, also no problem, all traffic will be directed from the PIX to the HSRP address and ISP 2 router takes over and all traffic will go via ISP 2.

But I have a problem if the ISP2 router fails, because the policy based routing on ISP1 router will still try to send all mail packets via ISP 2 router and they will be dropped.
I could install another router, make him and the ISP2 router part of another HSRP group and have a separate line to the ISP 2, so I can do away with ISP 2 router as a single point of failure, but if the ISP 2 line or service provider fails (not the router but the actual ISP is down), I land up with the same problem.  Mail will only go out via ISP 1 router if I change the config file and remove the policy that sends mail to the ISP 2 router.

Any Idea how I can create a scenario with 2 routers, policy based routing and HSRP on the outside PIX interface that will give me full redundancy?


 
0
Comment
Question by:ChristianeD
9 Comments
 
LVL 4

Expert Comment

by:hawgpig
ID: 10653781
PIX will not do what you are attempting.......because it will only allow for a single default route...
Load balance through a router send all packets to that router and let the router deturmine which line is up or down....
GOod Luck
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10654168
So many have tried and failed. <sigh>
Agree with hawgpig.

Your best bet may be to run OSPF between the two routers and the PIX. However, the PIX still will not have the capability to send specific type traffic (mail) to one gateway vs the other.

You can use a 3d router to do that with route-maps, but that injects a new single point of failure which you are trying to avoid with the dual router/hsrp thing..

I don't think you will ever achieve dynamic redundancy with the policy based routing where you have chosen to send all email out only one ISP.

You might also want to look into Gateway Load Balancing Protocol vs HSRP...
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ft_glbp.pdf
0
 
LVL 8

Expert Comment

by:smeek
ID: 10663942
There are also third party devices to help accomplish what you are trying, FatPipe, RadWare and others.  Usually, they offer other services and may be limited by bandwidth they allow through.  A side benefit is that some allow you access to bandwidth from both connections, rather than just failover.

Steve
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10682211
Take a look at what we did here and see it it might give you some ideas about using route-maps on one of the routers...

http://www.experts-exchange.com/Security/Firewalls/Q_20930992.html

0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:ChristianeD
ID: 10684839
Hi, I've looked at Q 20930992 and it looks very much like the scenario that we are dealing with. Our first design was also utilizing a 2620 router, but this creates a single point of failure.  My challange is that I want to create a redundant scenario, where one router or one ISP fails, the other router/ISP will deal with all traffic.
IT will be some time before we will implement, we are still in the design stage (gathering ideas).  

I was thinking of testing the following for the scenario of router 2 being down:

access-list 101 permit tcp host x.x.x.x any eq smtp

route-map MAIL permit 20
 match address 101
 set ip next-hop  x.x.x.x <<--  LAN interface of ISP2 router

route-map MAIL permit 21
 match address 101
 set default interface serial 0/0  <-- interface to ISP1

If router 2 (for ISP2) is down, it might take the second statement sending smtp packets to the serial interface on the same router.  But I suspect, that before it does that, it will hit the first route-map statement and send the packet out to the second router, which is down, so the packet does not get there.  It will never go to the second route-map statement because it does not test the validity of the action to be taken.

Am I right here?

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 10686863
No, it won't take the 2nd statement because it matched the first and will always match the first, regardless of the status of the other router.

This is one reason that I would not recommend this solution for you. There is no failover/redundency. If the next-hop is down, the packets die.

The best scenario is to use OSPF on both routers and the PIX, let both routers generate default information. This gives you dynamic failover, but not necessarily load balancing or load-sharing. If you want load-sharing, put both T1's in the same router. If you're worried about the router going down, add a "hot spare" router that has all the config and modules, and just swap the T1 cables if it goes down.
Else, get a router with dual power supplies, perhaps a 3725.
GLBP may work for you with two routers, I have not tried it. It gives the appearance of one IP address as the default for the PIX like HSRP, but actually does some load-sharing.
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10696985
One of the nice things about the "set ip next-hop" statement is that the IP you route it to does not have to be directly connected.  What you can do is setup EIGRP between your two routers, having router 2 advertize its serial network to router 1.  Set the next-hop in your route-map to the serial IP on router 2.  When router 2 and its serial line are both up, router 1 will route packets matching the route-map to it.  If either should fail, EIGRP drops the route which makes the IP match your default gateway thus sending the traffic to ISP 1.

-Pascal
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10807696
Are you still working on this? Do you need more information?
0
 

Author Comment

by:ChristianeD
ID: 10821652
Hi, unfortunately the implementation of the above scenario has been delayed.  I've also indicated to the customer that a fully redundant setup + policy based routing will not be possible.  The customer is now rethinking his requirements.

I feel confident that with your input I will be able to set up the PIX and the two routers so that I get a load-balancing, redundant scenario, although policy based routing will be a no-no.

I've also been thinking that a second LAN port on ISP router 1, that is shut down but exactly configured the way the other LAN port ist configured, except the policy based routing to ISP router 2 has been omitted.  It would act like your suggested "hot spare" router.  In case of a failure, the user can plug his LAN into the second LAN port, issue the "no shutdown" command and all mail will go via ISP1.

Thanks
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now