From: Muhammad Saleem (msaleems@gmail.com)
Date: Wed Nov 14 2007 - 14:01:21 ART
My understanding is as following.
Inbound request is coming to Primary DNS, P.DNS will respond the IP add
given by First ISP-1, if VSAT link is down the inbound request will come to
the Secondary DNS, S.DNS will respond the IP add given by second ISP-2.
Inbound request is coming from one of the ISP and terminating at the server
but in the return path when internal server is going to respond to the
request (Web request or SMTP request) it will be going to the L3 switch SVI
and switch firstly try to respond from lower distance route like (IP add of
Internal NIC of Pix >> VSAT modem then ISP-1) if the route does not respond
like VSAT is down then switch will try to respond the request from higher
distance route like (IP add of Internal NIC of ISA >> DSL modem then ISP-2).
I want to use DSL only for this purpose.
Please correct me if I am wrong.
Saleem
-----Original Message-----
From: Scott Morris [mailto:smorris@ipexpert.com]
Sent: Wednesday, November 14, 2007 5:34 PM
To: 'Muhammad Saleem'; 'Mohamed, Liban [NTK]'
Cc: ccielab@groupstudy.com; dcp@dcptech.com
Subject: RE: Two default gateway (IP Route ..)
If you are going through a PIX/ASA, the state table will have entries for
which NAT pool was used to translate (perhaps indicating which incoming path
was used) so at least proper translation on outbound packets is completed.
However, once it comes to routing if they are of the same interface then
it's simply in order of preference as far as I have seen.
If you have your two outside routes on separate inbound interfaces, then the
state table will actually "take care of" your outbound route choice by
delivering the outbound packets back to the correct outside interface and
then it will look up it's 0/0 route appropriately.
In your case though, you are going to two completely separate devices on the
inbound. So you're losing any sense of state when NAT'ing internally. Your
packets get to servers/hosts/whatever, and they make their own individual
choices for sending packets out. Once the packets get to their outbound
gateway, it'll go through whatever NAT/routing is configured on that box
with disregard to the other.
If you're doing this just on a single router we may be able to play with
other things like DSCP values and such, but you'd still have to have
server/hosts able to mark in the same fashion otherwise you'd mark inbound
but have nothing for outbound distinction.
HTH,
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE-M
#153, JNCIS-ER, CISSP, et al.
CCSI/JNCI-M/JNCI-ER
VP - Technical Training - IPexpert, Inc.
IPexpert Sr. Technical Instructor
A Cisco Learning Partner - We Accept Learning Credits!
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
http://www.ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Muhammad Saleem
Sent: Wednesday, November 14, 2007 2:16 AM
To: 'Mohamed, Liban [NTK]'
Cc: ccielab@groupstudy.com; dcp@dcptech.com
Subject: RE: Two default gateway (IP Route ..)
VSAT-----CE1 (VSAT Modem>>External NIC of Pix FW >> Internal NIC of Pix FW
>>Internal Server (P-DNS, WEB, Email)
DSL------CE2 (DSL Modem>>External NIC of Microsoft ISA FW >> Internal NIC of
Microsoft ISA FW >> Internal Server (S-DNS, WEB, Email) Pix internal NIC,
Microsoft ISA internal NIC and Internal servers are connected in CISCO
Catalyst 3750 switch and belong to same VLAN, and I am configuring static
routes in the same switch.
Saleem
-----Original Message-----
From: Mohamed, Liban [NTK] [mailto:Liban.Mohamed@sprint.com]
Sent: Wednesday, November 14, 2007 9:31 AM
To: Muhammad Saleem
Subject: RE: Two default gateway (IP Route ..)
Mohamed so just to understand your set up.
VSAT-----CE1-----Internal Server (P-DNS, WEB) DSL------CE1-----Internal
Server (S-DNS, WEB-Server)
You want the DSL to take over in case the VSAT fails right? Since the VSAT
and the DSL comes to one CE you want to enter flooding static route for
default-route, that should work just fine, as you have setting the admin
distance of 192.168.43.10 to 50, hence it will be a back up
Thanks,
Liban Mohamed
NTAC-IP
Sprint/Nextel
www.sprint.net
liban.mohamed@sprint.com
(W) 678-291-3438
(PCS) 404-441-9701
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Muhammad Saleem
Sent: Wednesday, November 14, 2007 12:47 AM
To: groupstudy@cconlinelabs.com
Cc: ccielab@groupstudy.com
Subject: RE: Two default gateway (IP Route ..)
I have P.DNS and S.DNS servers, hosting inside of network, already
registered with the SaudiNIC, P.DNS contains IP Add from ISP-1(connected
with VSAT), S.DNS will contains IP Add from ISP-2 (connected with DSL), If
client is trying to access Web server it will go through P.DNS and if
ISP-1 link is down then the client request will go through S.DNS (ISP-2, DSL
link) and will reach my Web server.
I have not implemented this scenario yet but I think its gona work.
If I add one more IP Route like
ip route 0.0.0.0 0.0.0.0 192.168.43.2
ip route 0.0.0.0 0.0.0.0 192.168.43.10 50
Is it gona solve my problem?
Saleem
-----Original Message-----
From: Tony Schaffran [mailto:groupstudy@cconlinelabs.com]
Sent: Wednesday, November 14, 2007 5:05 AM
To: 'Muhammad Saleem'; ccielab@groupstudy.com
Subject: RE: Two default gateway (IP Route ..)
For what you are trying to accomplish, I am affraid it is a little more
complicated than it seems.
Without BGP, to get inbound traffic to your web and mail servers, you will
need something like a Fatpipe device or some kind of dynamic DNS
implementation.
Tony Schaffran
Network Analyst
CCIE #11071
CCNP, CCNA, CCDA,
NNCDS, NNCSS, CNE, MCSE
www.cconlinelabs.com
Your #1 choice for online Cisco rack rentals.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Muhammad Saleem
Sent: Tuesday, November 13, 2007 7:23 AM
To: ccielab@groupstudy.com
Subject: Two default gateway (IP Route ..)
Hi Experts,
This is a little odd question but related to one of the routing issues.
I have one L3 switch, one Server VLAN, Two ISPs, one is through VSAT which
is primary link and second one is DSL link.
VSAT is further connected to outside interface of CISCO Pix Firewall
protecting Web and Email server.
DSAL is further connected to Microsoft ISA firewall outside interface, ISA
FW will be use to publish Web and Email servers
I am going to provide availability of Web and Email servers in case of VSAT
link is down.
In CISCO Cat 3750 switch I have defined VLAN for Web and Email servers and
in servers Default Gateway IP I defined the IP address of VLAN IP address
(SVI IP address)
in CISCO Cat 3750
ip route 0.0.0.0 0.0.0.0 192.168.43.2
(192.168.43.2 is the Internal IP of CISCO Pix firewall)
With this switch configuration VSAT connection is working fine and I can
access web and email server from outside and inside.
I want to use DSL link for inbound connection only if main VSAT link is
down, people should be able to access web and Email server from Internet.
Now, I am going to add DSL connection in my network so, should I just add
one more
IP ROUTE entry in my L3 switch like
ip route 0.0.0.0 0.0.0.0 192.168.43.10 ?
(192.168.43.10 is the inside IP of Microsoft ISA firewall)
Is this enough to get web and email service availability or what should I do
more??
How can I define two Gateways with different distance, so the L3 switch
recognize that main VSAT link (CISCO Pix) is down so use the DSL link(ISA
Server).
I will appreciate all the responses.
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:29 ART