• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 912
  • Last Modified:

Cisco 1700 Dual internet connections config question

This is the scenario:

I have a
1700 cisco with 2 Ethernet cards installed plus the internal fast ethernet port
1 card - internet provider a
1 card - internet provider b
internal card - network

I have two internet provider both of who provide ethernet connections to me.

I want to setup the 1700 to use one connection unless it is down and then use the other connection
I need to set up some port forwarding and also set up some ACLs

I know a bit about cisco but im not quite sure about how to config this

example commands would be really helpfully
I already have the ip address and mask set on the router

no routes or ACL have been Set
I have updated to the 12.3 ios with the ip and fw feature set

Any additional information can be provided

Thank you

3 Solutions
To do the failover when one internet connection is down -> Add a static route to provider A and add another static route to provider B with higher administrative distance, so that it gets picked only when the first route is down.

ip route <InternetProviderA-ISP Router IP>
ip route <InternetProviderB-ISP Router IP> 200

So what are the services that you want to port forward to ? A General idea is;


Doing failover without BGP is usually only successful if you don't have services available externally or the only service you care about is inbound email via prioritized MX records.  Your internal PCs will be able to access the Internet by using ISPB's address block, but that's usually the limit of what can be done (besides MX records).

Doing static route failover with two Ethernet connections will be spotty at best.  Each carrier has most likely put a switch or media converter on your premises; the links will not go down (and therefore the static routes will not fail over) unless the switch/media converter loses power.
What you need is Policy Based Routing with Tracking...

Configuration example can be found here: http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

if you need more help just post back.

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Good catch; I wasn't aware of that feature.  Be aware that it requires at least the Enterprise Base image, which is likely not on this user's router.

But once again, realize that even with this functionality, in the event of a failure at ISP-A, your internal users will be able to view the Internet, your secondary MX will be reachable, but no external services will be available on the public addresses they were configured for.
The hard part is going to be NAT.
Do you have an internal firewal that does your NAT for you now? Can it handle multiple IP ranges , one from each provider? I doubt it. Probably only from one provider, so you'd have to do double-nat on the 1700. Inbound www or email traffic is a problem. Email is OK with multiple MX records as PJ mentioned above, but if you have a web site it won't be available if your primary ISP link is down.
You're going to be asking a lot from that little 1700 router's CPU. Since it is end-of-lifed, and you are obviously concerned with downtime/Internet resiliency, I'd seriously look into something more robust.
omegamuellerAuthor Commented:
Thank you for all the help

All i need it for is internte and email.
I do remote in to the site but i can configure both ip to do that and just pick the one that i need

how do i setup double nat.

I think im going to go with the two routes vs. a policy based route
The problem with dual routes is that the interface has to go down for the route to change. This is unlikely with an Ethernet interface.

How you set up the nat depends on how you're doing it now, but in a nutshell:

interface Fast 0
 ip address a.b.c.d  <== address block belongs to ISP A
 ip nat inside

interface Eth 0
 description ISP A
 ip address c.d.e.f

interface Eth 1
 description ISP B
 ip address g.h.i.j
 ip nat outside

ip nat inside source list 1 interface Eth1 overload
access-list 1 permit a.b.c.0 <== assuming that your firewall already nats to ISPA addresses
ip nat inside source static tcp a.b.c.x 25 g.h.i.j 25  <== map email to your firewall/existing MX

Add another MX record and now email will come in even if ISPA link is down.
Outbound traffic will be natted at the firewall, then it hits the router. It is either passed on out ISPA, or if the link is dead, it will go out to ISPB, but will be natted again to ISPB ip address

Hope this makes sense to you...

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now