Solved

PIX outside interface with two ISP's, policy based routing and full redundancy? Can this be done?

Posted on 2004-03-22
9
1,756 Views
Last Modified: 2010-05-18
Hi,

I've got the following scenario:

My Pix 515 outside interface is connected to a switch, on which I have two routers, each going to a different ISP.  Lets call them ISP1 and ISP2.

ISP 1 is for all traffic except mail, ISP 2 is only for mail.

The two ISP routers run HSRP, the default route on the PIX is pointing to that HSRP IP.

On the ISP1 router I have installed policy based routing, which sets the next hop for all traffic comming from the mail server (which is situated inside the DMZ2) to the ISP2 router.

The mail server is in DMZ2, the Web Server is in DMZ1.

I am using static translations for the Mail and Web server to translate them into the private address space of the outside, and then again NAT on the IPS 1 and ISP 2 router to translate the addresses to their public addresses, visable on the net.

I have a problem now creating a full redundant scenario:

If ISP 1 router fails,  no problem, all traffic will be directed from the PIX to the HSRP address and ISP 2 router takes over and all traffic will go via ISP 2 router.  
If the IPS 1 service provider or line fails, also no problem, all traffic will be directed from the PIX to the HSRP address and ISP 2 router takes over and all traffic will go via ISP 2.

But I have a problem if the ISP2 router fails, because the policy based routing on ISP1 router will still try to send all mail packets via ISP 2 router and they will be dropped.
I could install another router, make him and the ISP2 router part of another HSRP group and have a separate line to the ISP 2, so I can do away with ISP 2 router as a single point of failure, but if the ISP 2 line or service provider fails (not the router but the actual ISP is down), I land up with the same problem.  Mail will only go out via ISP 1 router if I change the config file and remove the policy that sends mail to the ISP 2 router.

Any Idea how I can create a scenario with 2 routers, policy based routing and HSRP on the outside PIX interface that will give me full redundancy?


 
0
Comment
Question by:ChristianeD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 4

Expert Comment

by:hawgpig
ID: 10653781
PIX will not do what you are attempting.......because it will only allow for a single default route...
Load balance through a router send all packets to that router and let the router deturmine which line is up or down....
GOod Luck
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10654168
So many have tried and failed. <sigh>
Agree with hawgpig.

Your best bet may be to run OSPF between the two routers and the PIX. However, the PIX still will not have the capability to send specific type traffic (mail) to one gateway vs the other.

You can use a 3d router to do that with route-maps, but that injects a new single point of failure which you are trying to avoid with the dual router/hsrp thing..

I don't think you will ever achieve dynamic redundancy with the policy based routing where you have chosen to send all email out only one ISP.

You might also want to look into Gateway Load Balancing Protocol vs HSRP...
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ft_glbp.pdf
0
 
LVL 8

Expert Comment

by:smeek
ID: 10663942
There are also third party devices to help accomplish what you are trying, FatPipe, RadWare and others.  Usually, they offer other services and may be limited by bandwidth they allow through.  A side benefit is that some allow you access to bandwidth from both connections, rather than just failover.

Steve
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 
LVL 79

Expert Comment

by:lrmoore
ID: 10682211
Take a look at what we did here and see it it might give you some ideas about using route-maps on one of the routers...

http://www.experts-exchange.com/Security/Firewalls/Q_20930992.html

0
 

Author Comment

by:ChristianeD
ID: 10684839
Hi, I've looked at Q 20930992 and it looks very much like the scenario that we are dealing with. Our first design was also utilizing a 2620 router, but this creates a single point of failure.  My challange is that I want to create a redundant scenario, where one router or one ISP fails, the other router/ISP will deal with all traffic.
IT will be some time before we will implement, we are still in the design stage (gathering ideas).  

I was thinking of testing the following for the scenario of router 2 being down:

access-list 101 permit tcp host x.x.x.x any eq smtp

route-map MAIL permit 20
 match address 101
 set ip next-hop  x.x.x.x <<--  LAN interface of ISP2 router

route-map MAIL permit 21
 match address 101
 set default interface serial 0/0  <-- interface to ISP1

If router 2 (for ISP2) is down, it might take the second statement sending smtp packets to the serial interface on the same router.  But I suspect, that before it does that, it will hit the first route-map statement and send the packet out to the second router, which is down, so the packet does not get there.  It will never go to the second route-map statement because it does not test the validity of the action to be taken.

Am I right here?

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 10686863
No, it won't take the 2nd statement because it matched the first and will always match the first, regardless of the status of the other router.

This is one reason that I would not recommend this solution for you. There is no failover/redundency. If the next-hop is down, the packets die.

The best scenario is to use OSPF on both routers and the PIX, let both routers generate default information. This gives you dynamic failover, but not necessarily load balancing or load-sharing. If you want load-sharing, put both T1's in the same router. If you're worried about the router going down, add a "hot spare" router that has all the config and modules, and just swap the T1 cables if it goes down.
Else, get a router with dual power supplies, perhaps a 3725.
GLBP may work for you with two routers, I have not tried it. It gives the appearance of one IP address as the default for the PIX like HSRP, but actually does some load-sharing.
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10696985
One of the nice things about the "set ip next-hop" statement is that the IP you route it to does not have to be directly connected.  What you can do is setup EIGRP between your two routers, having router 2 advertize its serial network to router 1.  Set the next-hop in your route-map to the serial IP on router 2.  When router 2 and its serial line are both up, router 1 will route packets matching the route-map to it.  If either should fail, EIGRP drops the route which makes the IP match your default gateway thus sending the traffic to ISP 1.

-Pascal
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10807696
Are you still working on this? Do you need more information?
0
 

Author Comment

by:ChristianeD
ID: 10821652
Hi, unfortunately the implementation of the above scenario has been delayed.  I've also indicated to the customer that a fully redundant setup + policy based routing will not be possible.  The customer is now rethinking his requirements.

I feel confident that with your input I will be able to set up the PIX and the two routers so that I get a load-balancing, redundant scenario, although policy based routing will be a no-no.

I've also been thinking that a second LAN port on ISP router 1, that is shut down but exactly configured the way the other LAN port ist configured, except the policy based routing to ISP router 2 has been omitted.  It would act like your suggested "hot spare" router.  In case of a failure, the user can plug his LAN into the second LAN port, issue the "no shutdown" command and all mail will go via ISP1.

Thanks
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question