caylor93
Premium
join:2009-02-25
Parker, CO
|  [Config] Dual ISP Cisco Config Help
Hello all,
I have a bit of an issue trying to get my Cisco 2611 config to work with two ISPs.
I currently have a functioning Cisco config with the internal ADSL card and NATing. I am already port-forwarding public services to an internal private address. What I am having problems with is adding another public WISP connection that will be connected to a fast ethernet port on the 2611. Pic:
ADSL->PUBLIC IP(VIA ATM)->|
|
|->2611->PRIVATE IP(NAT)->FIREWALL->Servers/LAN
|
WISP->PUBLIC IP(VIA ETH)->|
The common point in the two paths above is the 2611, Firewall and Servers/LAN.
I have the ADSL/ATM side working and can make the WISP/ETH side work if I disable the ADSL/ATM default routing, but can not figure out how to enable the routing to make them both work at the same time. I want the ADSL to be the default route, but source route from a specific Private IP for the WISP.
Current config:
interface ATM0/0
description WAN ADSL Interface
no shutdown
no ip address
no ip mroute-cache
no atm ilmi-keepalive
no ip directed-broadcast
bundle-enable
dsl operating-mode auto
hold-queue 224 in
pvc 0/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0/0
description Internal Gateway Interface
no shutdown
ip address {PRIVATE IP}
no ip directed-broadcast
no ip mroute-cache
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nat inside
ip tcp adjust-mss 1452
speed 100
full-duplex
no cdp enable
!
interface Ethernet1/1
description WAN WISP Interface
no shutdown
ip address {PUBLIC IP}
ip access-group IANA_BLACK_Holes_Out out
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nat outside
full-duplex
no cdp enable
!
interface Dialer1
description WAN ADSL Interface (public-vc)
ip address negotiated
ip access-group IANA_BLACK_Holes_Out out
ip mtu 1492
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer idle-timeout 2147483
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username [REMOVED] password [REMOVED]
!
ip nat inside source list 1 interface Ethernet1/1 overload
ip nat inside source static udp {PRIVATE IP} 53 {WISP PUBLIC IP} 53 extendable
ip nat inside source static tcp {PRIVATE IP} 53 {WISP PUBLIC IP} 53 extendable
ip nat inside source static tcp {PRIVATE IP} 8080 {WISP PUBLIC IP} 8080 extendable
ip nat inside source static tcp {PRIVATE IP} 25 {WISP PUBLIC IP} 25 extendable
ip nat inside source static tcp {PRIVATE IP} 80 {WISP PUBLIC IP} 80 extendable
ip nat inside source static tcp {PRIVATE IP} 443 {WISP PUBLIC IP} 443 extendable
ip nat inside source static udp {PRIVATE IP} 8767 {WISP PUBLIC IP} 8767 extendable
ip nat inside source static udp {PRIVATE IP} 8768 {WISP PUBLIC IP} 8768 extendable
ip nat inside source static udp {PRIVATE IP} 3074 {WISP PUBLIC IP} 3074 extendable
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source static udp {PRIVATE IP} 53 {ADSL PUBLIC IP} 53 extendable
ip nat inside source static tcp {PRIVATE IP} 53 {ADSL PUBLIC IP} 53 extendable
ip nat inside source static tcp {PRIVATE IP} 8080 {ADSL PUBLIC IP} 8080 extendable
ip nat inside source static tcp {PRIVATE IP} 25 {ADSL PUBLIC IP} 25 extendable
ip nat inside source static tcp {PRIVATE IP} 80 {ADSL PUBLIC IP} 80 extendable
ip nat inside source static tcp {PRIVATE IP} 443 {ADSL PUBLIC IP} 443 extendable
ip nat inside source static udp {PRIVATE IP} 8767 {ADSL PUBLIC IP} 8767 extendable
ip nat inside source static udp {PRIVATE IP} 8768 {ADSL PUBLIC IP} 8768 extendable
ip nat inside source static udp {PRIVATE IP} 3074 {ADSL PUBLIC IP} 3074 extendable
ip nat inside source static udp {PRIVATE IP} 28960 {ADSL PUBLIC IP} 28960 extendable
!
no ip http server
no ip http secure-server
ip classless
ip route {PRIVATE IP} 255.255.255.0 Ethernet1/1
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit host {PRIVATE IP}
access-list 2 permit any
access-list 2 deny any log
dialer-list 1 protocol ip permit |
|
aryoba
Premium,MVM
join:2002-08-22 | Depending on the router IOS image feature, you might be able to run VRF lite to totally separate the routing tables. Another solution are either implementing PBR (Policy-Based Routing) or have additional router to separate the ISP termination. |
|
deepblackmag
join:2004-12-27
00000
| It really all depends what you want to accomplish. Are you trying to load share or load balance locally solicited traffic between the two providers? Or send some hosts one way and some hosts the other? I understand what your setup is but not what your goal is. |
|
caylor93
Premium
join:2009-02-25
Parker, CO | It is the later...I want to split the traffic with certain hosts or networks using certain ISPs, not load balance. But I also want to try and have inbound traffic arrive at the same servers. |
|
deepblackmag
join:2004-12-27
00000
1 edit | The simpler solution for such a thing would be policy routing, there should be some examples on the forums with other users doing similar things.
A more elegant solution is virtual routing instances (VRFs) in a vrf-lite configuration, however more difficult to configure. If you were to split the hosts into two different pools, one using ISP A and one using ISP B, do the pools need to talk to eachother or just the outside world?
The simple nat config (ip nat inside, ip nat outside, global PAT translation) works well for one provider, but in a more complicated environment i would suggest investigating the use of the nat virtual interface (NVI) with "ip nat enable". |
|
caylor93
Premium
join:2009-02-25
Parker, CO | No, they would only need to talk with the outside world. I will look into the policy routing, VRF and NVI.
Thank you |
|
