I failed to make clear that the customer understands that he won't have automatic failover. I also understand that the advertised route will be no good through the DSL provider. However, he will still be able to transfer files if the T1 goes down. Maybe from a workstation or maybe we do some config changes and tell users to ftp to another ip address (by then the T1 ISP will be back up,dah) the ftp and ftp1 DNS entries is a good idea.
I am learning something though. This doesn't seem worth all the trouble. Unfortunately the customer is set on it and we've confirmed that it is possible. Dangerous client, he knows just enough to make our life hard, but not enough to understand how unorthodox this is. If anything, this is a good drill for me, and all these posts are not only enlightening, but interesting. Beats the book I'm reading. ""John Kaberna"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > What happens when the T1 provider goes down? Those IP's will no longer be > reachable and the servers will be down. Without BGP I don't see how you are > going to get the DSL circuit to take over the IP's that the T1 provider > advertises. Assuming you have BGP, I would thing that policy routing and > using different global addresses would get the job done. Sounds to me like > the only barrier is getting BGP. > > > ""Kent Hundley"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Wayne, > > > > I would suggest disabling NAT on the PIX and performing your NAT on the > > router. This eliminates the problem of not knowing what packets originate > > from the servers. Then, setup Policy-Based Routing (PBR) on the router. > > You didn't post your config, so I assume you have 2 legal addresses, one > > from each ISP and you don't have your own address space. If you want to > > setup inbound services you'll have to setup static NAT on the router for > the > > services you want to allow. For outbound the PBR it's pretty simple: > > > > int s 0 > > interface to T1 > > > > int e 0 > > interface to DSL > > > > int > > ip policy route-map test > > > > access-list 100 any > > > > route-map test permit 10 > > match ip address 100 > > set int s 0 > > route-map test permit 20 > > > > For outbound traffic packets from the servers will be sent out the T1 as > > long as it is up, all other traffic will be forwarded normally. You'll > want > > to set your routing so that the DSL line is the preferred path for all > > traffic. If the T1 goes down, the traffic from the servers will be sent > out > > the DSL. > > > > Additional problems that I see are if your servers are to be accessible > from > > the Internet, you will need to have static translations setup for your > > services on both the T1 and the DSL. You can do this, but the issue > becomes > > name resolution and which address is returned to users on the Internet. > > It's probably safer to just setup the translations for the T1 and leave it > > at that. (you could play some games if you ran your own DNS, but things > get > > complicated pretty quickly) > > > > You don't need the FFS on the router as long as everything is behind the > PIX > > (although it shouldn't hurt) and you don't need the link between the > router > > and the PIX to be have a public address space as long as you do the NAT on > > the router. > > > > Of course, you also will want to harden the Internet facing router if you > > have not already done so. > > > > One more thing, it's not really accurate to say the PIX "doesn't route". > > People say this all the time and what they really mean is that the PIX > > doesn't support routing protocols and some "fancy" routing techniques like > > PBR. However, the PIX does perform layer 3 forwarding based on its > routing > > table, this means, by definition, it is "routing". It just doesn't have > the > > same features and functions for layer 3 forwarding that cisco routers > have. > > (this is kind of a nit, but saying the PIX doesn't route tends to confuse > > people) > > > > HTH, > > Kent > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > Wayne Jang > > Sent: Wednesday, June 12, 2002 10:10 AM > > To: [EMAIL PROTECTED] > > Subject: Pix don't route [7:46356] > > > > > > Hi, > > > > The Pix don't route, but can I do this? > > > > I have a 2 server 20 user small office. > > > > I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to > the > > Internet. I'm not looking to load balance or even do redundancy. I just > > want traffic from the servers to use the T1 and I want traffic from the > > users to use DSL. I could use access-lists on the 2621 to direct the > > traffic based on source address, but how will the 2621 know where the > > traffic came from? Won't all traffic have a source address of the Pix > > outside interface? What if I Nat the servers(on PIx) so that they will > > appear to have a different source IP than the users who will be behind the > > global outside address? I'll need more public addresses, but that would > be > > fine. > > > > I can't get any help from Cisco Pre-Sales because they aren't sure. I > can't > > get an engineer that knows more than me (not much). > > > > My fall back plan is to only use the 2621 and have a firewall IOS. But I > > would rather use the Pix, especially because we have already quoted the > > above solution and are working to save face. > > > > Thanks > > > > -- > > Wayne Jang > > Advanced Computer Technologies, Inc. > > 108 Main Street > > Norwalk, CT 06851 > > Wk 203-847-9433 > > Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46385&t=46356 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
