What happens when the T1 provider goes down? Those IP's will no longer be reachable and the servers will be down. Without BGP I don't see how you are going to get the DSL circuit to take over the IP's that the T1 provider advertises. Assuming you have BGP, I would thing that policy routing and using different global addresses would get the job done. Sounds to me like the only barrier is getting BGP.
""Kent Hundley"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Wayne, > > I would suggest disabling NAT on the PIX and performing your NAT on the > router. This eliminates the problem of not knowing what packets originate > from the servers. Then, setup Policy-Based Routing (PBR) on the router. > You didn't post your config, so I assume you have 2 legal addresses, one > from each ISP and you don't have your own address space. If you want to > setup inbound services you'll have to setup static NAT on the router for the > services you want to allow. For outbound the PBR it's pretty simple: > > int s 0 > interface to T1 > > int e 0 > interface to DSL > > int > ip policy route-map test > > access-list 100 any > > route-map test permit 10 > match ip address 100 > set int s 0 > route-map test permit 20 > > For outbound traffic packets from the servers will be sent out the T1 as > long as it is up, all other traffic will be forwarded normally. You'll want > to set your routing so that the DSL line is the preferred path for all > traffic. If the T1 goes down, the traffic from the servers will be sent out > the DSL. > > Additional problems that I see are if your servers are to be accessible from > the Internet, you will need to have static translations setup for your > services on both the T1 and the DSL. You can do this, but the issue becomes > name resolution and which address is returned to users on the Internet. > It's probably safer to just setup the translations for the T1 and leave it > at that. (you could play some games if you ran your own DNS, but things get > complicated pretty quickly) > > You don't need the FFS on the router as long as everything is behind the PIX > (although it shouldn't hurt) and you don't need the link between the router > and the PIX to be have a public address space as long as you do the NAT on > the router. > > Of course, you also will want to harden the Internet facing router if you > have not already done so. > > One more thing, it's not really accurate to say the PIX "doesn't route". > People say this all the time and what they really mean is that the PIX > doesn't support routing protocols and some "fancy" routing techniques like > PBR. However, the PIX does perform layer 3 forwarding based on its routing > table, this means, by definition, it is "routing". It just doesn't have the > same features and functions for layer 3 forwarding that cisco routers have. > (this is kind of a nit, but saying the PIX doesn't route tends to confuse > people) > > HTH, > Kent > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Wayne Jang > Sent: Wednesday, June 12, 2002 10:10 AM > To: [EMAIL PROTECTED] > Subject: Pix don't route [7:46356] > > > Hi, > > The Pix don't route, but can I do this? > > I have a 2 server 20 user small office. > > I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the > Internet. I'm not looking to load balance or even do redundancy. I just > want traffic from the servers to use the T1 and I want traffic from the > users to use DSL. I could use access-lists on the 2621 to direct the > traffic based on source address, but how will the 2621 know where the > traffic came from? Won't all traffic have a source address of the Pix > outside interface? What if I Nat the servers(on PIx) so that they will > appear to have a different source IP than the users who will be behind the > global outside address? I'll need more public addresses, but that would be > fine. > > I can't get any help from Cisco Pre-Sales because they aren't sure. I can't > get an engineer that knows more than me (not much). > > My fall back plan is to only use the 2621 and have a firewall IOS. But I > would rather use the Pix, especially because we have already quoted the > above solution and are working to save face. > > Thanks > > -- > Wayne Jang > Advanced Computer Technologies, Inc. > 108 Main Street > Norwalk, CT 06851 > Wk 203-847-9433 > Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46379&t=46356 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
