Clicky

Hi there, I have a Cisco 2811 router.
It has 2 internet connections, a 10 mbit fiber line (fastethernet0/0) and a 6mbit mlppp line (Multilink 1) , the internal interface fastethernet0/1 does NAT between internal hosts and the internet. I have 32 public ip addresses assigned to my multilink 1 circuit via my ISP, the comcast line has only 8 public IPs, so I'd like to continue using the multilink line to access hosted servers in my network, however since I assigned the fiber line to be the primary circuit with routing metric 1 , and assigned metric 10 to my mlppp circuit I'm having problems:

I need to configure this router so that it primarily uses the fiber line (circuit A) for internet browsing and emails, but when an internet host attempts to access an internal host via its public address from circuit B, the internal host replies using circuit B so that a connection could be established. Is this possible?

This example would have worked if the "internet" for each circuit had different ip spaces, but since the internet is 0.0.0.0 0.0.0.0 I cannot differentiate between internet connections :(

https://supportforums.cisco.com/docs/DOC-5061

asked 12/05/2011 11:07

eggster34's gravatar image

eggster34 ♦♦


10 Answers:
Have you tried using a route map, so that any traffic sources from your "internal hosts" uses fa0/0?
link

answered

Soulja's gravatar image

Soulja

I have route maps so that all internal hosts use fa0/0 by default, which works great, but how can I access an inside host using a Multilink circuit IP address?
link

answered 2011-12-06 at 07:55:06

eggster34's gravatar image

eggster34

If your goal is for internal servers to always use only the mlppp connection, and for other internal hosts to always use only the fiber connection, then:
- use a NAT overload and default route on the fa 0/0 port for internal hosts that are not servers (i.e., the ACL will carry deny lines for the internal servers)
- apply policy-based routing and NAT for internal servers to use the mlppp connection.  (i.e., the ACL will indicate a list of internal server hosts source addresses that will only egress via the mlppp)

So, you'll need to:
- define static NATs for the internal servers to be translated to addresses on the mlppp (forward all traffic, not just the ports)
- apply policy-based routing on Fa 0/1 to be sure the internal servers will always be pushed out the mlppp link
- define pool-based or overload NAT for internal hosts to follow the default 0.0.0.0/0 route out fa 0/0
- you can remove the static default that points out to the mlppp next-hop (or interface), it doesn't do anything that you described in your question
- you might want to set up IOS firewall for the internal servers that are going to be exposed to the Internet.  Left to me, I'd use the CBAC firewall, not Zone-Based.
 
link

answered 2011-12-06 at 18:05:21

mr_dirt's gravatar image

mr_dirt

my goal is for all hosts (including the servers) to use the fiber circuit for internet, AND the servers to be accessible via their mapped public IP addresses from the mlppp range.
link

answered 2011-12-07 at 19:47:35

eggster34's gravatar image

eggster34

I'm skeptical that your desired functionality is available on IOS.  I need to review some notes and config from a while back that I might still have at my office.  That said, my first inclination is to say that a router won't do what you want, and neither will an ASA.
link

answered 2011-12-07 at 20:32:44

mr_dirt's gravatar image

mr_dirt

I'd have to agree with mr dirt on this one. I have been trying to wrap my head around this one.
link

answered 2011-12-07 at 21:00:08

Soulja's gravatar image

Soulja

I've checked all of the relevant documentation that I have, and I'm sticking with "no".

IOS won't do it because there is no way to policy-route the traffic that is returning from servers back to Internet hosts that connected to the address pool on the mlppp link.  The inbound request from the Internet will be properly translated and sent to your server, but on the traffic's return, it will be handled by NAT inside-to-outside *after* policy routing has looked at it.  So the replies *should* be translated, they'll just be sent back out the wrong interface, and I suspect that Comcast will discard the traffic because they're seeing traffic that's not supposed to be sourced on their network.  If you had it configured correctly before, and it wasn't working, I believe this is the answer as to why.

The ASA won't do it because there is no policy-routing, and I'm pretty sure that you can only have one active route to a given destination at a time.
link

answered 2011-12-08 at 07:18:40

mr_dirt's gravatar image

mr_dirt

Very well explained Mr. Dirt.
link

answered 2011-12-08 at 13:16:52

Soulja's gravatar image

Soulja

Many thanks.
link

answered 2011-12-08 at 16:37:30

eggster34's gravatar image

eggster34

The answer is negative but we at least know that this can't be done.
link

answered 2011-12-08 at 21:52:49

eggster34's gravatar image

eggster34

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

Asked: 12/05/2011 11:07

Seen: 198 times

Last updated: 12/08/2011 01:53