I have used NAT and multihoming to provide redundancy through two ISPs for
our servers without BGP using the following procedure:
1. Put one address from each ISP on the firewall's external interface.
(Go to the General FAQ on phoneboy's page for information on how to do this
--> http://www.phoneboy.com/fw1/)
2. Put two internal IP addresses on each server.
3. Translate one address from each server to an external address supplied
by ISP A, translate the other to an address supplied by ISP B. I do all
translation on the firewall (Firewall 1 4.0 on Solaris 2.6).
4. Round-robin the addresses in DNS (or use an active DNS package like
F5's 3DNS to monitor your connections and hand out the best address).
5. Put policy routing on your default router to send the traffic back out
to whichever ISP it came in from (using policy routing you can route based
on the source IP as well as the destination IP, so just set it up to route
packets coming from your servers' ISP A addresses back to ISP A, and
packets from your servers' ISP B addresses back to ISP B. Here is a link
to instructions for setting up policy routing on Cisco IOS 12 -->
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_c/1cprt1/1cindep.htm#5030
BGP is a much better solution, but you have to be a large enough
organization to get the IP address gods (ARIN.NET for the US) to give you a
large enough block of addresses to be globally routable (a /20 CIDR block,
I believe) and an autonomous system number, and then you have to be very
careful when setting up BGP (book length topic, there).
Any other redundancy ideas out there?
Matt Ruehlen
Network Operations Supervisor
ELF Technologies, Inc.
Voice: 206 770 4034
Fax: 206 728 5654
Jack Coates <[EMAIL PROTECTED]>
Sent by: To: "Lee
(lunchbox) Hughes" <[EMAIL PROTECTED]>
[EMAIL PROTECTED] cc:
"'[EMAIL PROTECTED]'"
kpoint.com
<[EMAIL PROTECTED]>
Subject: RE: [FW1]
Multiple IPs to one NIC?
08/01/00 10:08 AM
I think you're mixing up problems -- this guy never asked about
multihoming.
You would be right in the case of NAT (NAT + Multihoming = Sreaming Case
of Heebie Jeebies). But if he was multihoming between a DSL line and a 64K
line, assuming all DNS points to the 64K line and only one direction is
NATed, it could work.I wouldn't do it with CPFW, though -- I'd do this:
a.a.a.0 b.b.b.0
64K DSL
csu/dsu bridge
router router <- do NAT here, hiding behind b.b.b.x
\ /
---firewall--- <- direct "certain traffic" to DSL line
c.c.c.0 (registered space, no NAT req'd)
"certain traffic" needs to be traffic originating from the inside which
doesn't rely on resolvable names (e.g., browsing is okay but sendmail is
not). Ideally the DSL router should block all inbound SYNs since it's got
a DHCP address and therefore won't be approached by anything legitimate.
This could be a good way to offload junk traffic, but it won't help in
providing redundancy for important internals (like mail servers). For that
you need BGP.
--
Jack Coates, Rainfinity SE
t: 650-962-5301 m: 650-280-4376
On Tue, 1 Aug 2000, Lee (lunchbox) Hughes wrote:
> hey, correct me if I'm wrong, but if you 'route' over the dsl, won't the
> packets return
> via the original IP address in the source, i.e. the 64k line????,
becareful.
> running
> a multihomed site is not as easy as it sounds, unless your running bgb-4
> :-).
> Lee
>
> -----Original Message-----
> From: Jack Coates [mailto:[EMAIL PROTECTED]]
> Sent: 31 July 2000 21:27
> To: Screaming Badger
> Cc: [EMAIL PROTECTED]
> Subject: Re: [FW1] Multiple IPs to one NIC?
>
>
>
> That could work -- but make sure you realize what you'd have to do.
You'll
> need to add a route statement which directs traffic for the fixed IP to
> the dynamic IP. You'd have to change that route every time your DHCP
> address changed. And you'd have to break any existing connections
> every time you changed the route.
>
> I assume this is DSL? Most if not all DSL providers offer a fixed IP
> option for slightly more money per month -- I would look into that if I
> were you.
>
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
