[c-nsp] Load balancing via 2 ISP + NAT

Rodney Dunn rodunn at cisco.com
Thu Dec 2 16:46:11 EST 2004 

What size network were you given to use?
Do you need the ability to initiate inbound
connections from the interenet to all
machines on the LAN or just some.

Since ISP1 will no have a route back to you
for the ISP2 address space the only thing
you can do with traffic going out that way
is overload to the WAN ip address.

For the in->out direction the routing
decision would be made first so you could
use a route-map I think to overload on
the wan interfaces for each.

ie:

101_(config)#ip nat inside source route-map isp1 interface e1/0 over
101_(config)#ip nat inside source route-map isp2 interface e2/0 over

then define a route-map that would matc for isp1
the egress interface name going to isp1.
Do the same for isp2.

Now this will cover your internal host that just need to get
out to the internet.  Since the source address will be the
ip address on the wan interface for each isp your return
traffic will always come to the right path.

Then for the host you need to allow inbound connections
for you define static nat translations to map to ip addresses
in the pool you were given from the ISP.

The only gotcha I see here is for this to work you will have
to do policy based routing on the internal LAN interface
coming in the router and send all traffic coming from the
static translated inside hosts out the ISP2 link.  That
means you will not have failover for those hosts between
the two links but that is the only possible way I can
think of to make this work.

Rodney


On Thu, Dec 02, 2004 at 09:39:51PM +0200, Sorin CONSTANTINESCU wrote:
> On Thu, 2 Dec 2004 12:13:28 -0500, Rodney Dunn <rodunn at cisco.com> wrote:
> > Never send out an ascii diagram that doesn't
> > fix in an 80 column window.
> 
> sorry :(
> 
> >
> >                        /-ISP1(10.0.0.1/30)
> > LAN--(nat inside)Router
> > (10.0.2.1/24)           \
> >                         -ISP2 (10.0.1.1/30)(nat outside)
> >
> >
> > What is your ISP1 connection?
> 
> The ISP1 connection is an E1 connection.
> 
> > Is your interface address a global one from the provider?
> >
> 
> The global address is from ISP2
> 
> > When you put 10.x.x.x addresses everywhere in your diagram
> > it makes it appear as though everything is private.
> >
> 
> No, they're not private, they're all public. Sorry fot the confusion.
> The LAN subnet is a /29, and on both interfaces towards the ISPs there
> are /30s.
> 
> > Were you given some global addresses to use?
> > If so from what provider?
> 
> The global address is from ISP2, but the lan addresses are from ISP1.
> 
> >
> > Rodney
> 
> --
> Sorin

More information about the cisco-nsp mailing list