Inside routing problem 2

[TalentedFool]

I have a 1700 router on the outisde connected to a PIX firewall on the inside.

on the PIX i'm NAT'ing my internal IP addresses depending on their IP range to two different ISP public IP's.

How can I allow both sets of traffic from the PIX through the router to the correct ISP?

ISP1 was setup first and so the IP address on the inside of the router connecting to the PIX is set-up for them. Now that I'm adding a 2nd ISP I can't get their traffic through the Router - and no I can't do the NAT'ing on the router :-( wish I could

ISP1 is 10.1.2.3/255.255.255.248 and ISP 2 is 12.1.2.3/255.255.25.240



~ Remember - Nothing is Fool Proof to a Talented Fool ~

 

[Ramesh26]

Hi
I am not sure of ur physical configuration, "1700 router on the outisde connected to a PIX firewall on the inside"

So you have the 1700 connected to the inside port on the pix ? but it faces the outside into the world ?

sorry if the question seems sily.

 

[Ramesh26]

Also check out the below post i might help

thread557-747979

 

[TalentedFool]

Ok, sorry if it confused you! My router faces the outside world so I have a Broadband connection going into the Ethernet Port of the router. Next I have an ADSL connection going into an ADSL WIC Card in the router. The Fast Ethernet port is connected to the outside port of the PIX with the inside port connected to my network.

ADSL|
-------------------
Router|-------PIX
Broadband|--------------

Not very good on the old text diagrams

Each ISP has given me two very different ranges os IP's to use.

I'm NAT'ing my internal network IP's on the Firewall depending on the subnet e.g. 10.1.2.1/255.255.255.0 is NATing to the outside as ISP1 - 172.30.212.2 and 10.1.3.1/255.255.255.0 is NATING to ISP2 182.30.213.2 - Works Great - not a problem here!

Problem is on the router. The FastEthernet port which connects back to the PIX currently has an IP of 172.30.212.1 for ISP 1 as this was set up way back when... and on the PIX I route all traffic to that IP -works great for ISP 1.

My question is how can I allow both sets of PUBLIC IP's for the two ISP's I have through the router? If at all possible!! I may need to start thinking about NATing the IP's on the router for this which is something I wanted to avoid if possible!




~ Remember - Nothing is Fool Proof to a Talented Fool ~

 

[routerman]

set up policy routing on the 1700, you can use this to determine the next hop packets are sent to based on their source address. A bit like a static route, but works on the source IP not the destination.

Let me know if you need help with this.

 

[tbilan]

Let me dig a little deeper. Why did you order a second line from a different ISP? Knowing what your end goal is will help us know what to suggest.

If you ordered it to "double your bandwidth, while providing redundancy" then it's not going to be as easy as you hoped.


Tom Bilan
TJBA, Inc.
CCNP, CCDP, MCSE & CNE

 

[TalentedFool]

Policy routing ? OK - might need help with that! But does that allow traffic from my second set of IP's through the first ?

Routerman - We got ADSL from a second ISP cause our original ISP are the pits. It's a satelitte broadband service and let me say how rubbish it is. The ground station is over in holland and they seem to have terrible trouble keeping the thing up.

Our end goal will be to get rid of the Sat connection in around 6 months and just stick with our ADSL. So I need to get both up an running.

Anyway - the interface IP - can it be the same ?

~ Remember - Nothing is Fool Proof to a Talented Fool ~

 

[routerman]

I dont think the IP address allocated by ISP 1 is an issue.

The 1700 needs to decide which next hop to use, and a policy route map could do this.

I would use:

route-map ISP-SELECT permit 10
match ip address ISP1
set interface <broadband>

route-map ISP-SELECT permit 20
match ip address ISP2
set interface <adsl>

ip access-list standard ISP1
permit host 172.30.212.2

ip access-list standard ISP2
permit host 182.30.213.2

interface Fastethernet 0
ip policy route-map ISP-SELECT

The way this works is when a packet hits F0 it goes to the route map. If the source address of the packet is the ISP 1 PAT address then you send it out of the broadband interface (you will need to add the interface detail). If its the ISP 2 PAt address then send it out of the other interface.

You only have one router, so the PIX has a default route pointing to that routers F0 port.

Return packets follow the ISP routing, so packets from ISP 1 will hit the PIX.

Packets from ISP 2 will be going to 182.30.213.2, this doesnt exist in the routes route table.

I think a static route on the 1700 will suffice:

ip route 182.30.213.2 255.255.255.255 172.30.212.2

When the PIX sees packets for 182.30.213.2 it will perform the translation.

Hope this helps.

 

[tbilan]

Routerman's config looks good and you may want to add &quot; ip route-cache policy&quot; on the ethernet port to help with the CPU overhead.


Tom Bilan
TJBA, Inc.
CCNP, CCDP, MCSE & CNE

 

[TalentedFool]

Well, I shall give it a go later on in the day and see what happens!!

Thanks guys!



~ Remember - Nothing is Fool Proof to a Talented Fool ~

 

[TalentedFool]

Routerman - it worked!

Took me a while to figure out the IP addresses and where they go etc but hey presto!

Cheers

~ Remember - Nothing is Fool Proof to a Talented Fool ~

 

[routerman]

Good stuff!!