[c-nsp] Simple NAT based IOS failover between providers

Robert Boyle robert at tellurian.com
Mon Sep 26 11:01:37 EDT 2005 

Hello,

We opened a ticket with the TAC and were told this was not possible. I 
don't believe it. Many $79 generic Asian routers sold at office supply 
stores can do this out of the box so I have to believe that Cisco with 10+ 
years of IOS development and a $1500 router can do something this simple. 
Situation details below:

Router with two "outside" interfaces - Both Ethernet in the cheap routers 
or WIC-1DSU-T1 and WIC-1ADSL in our Cisco example
Router has one "inside" Ethernet interface which runs NAT with IPSEC 
passthrough.

The first outside interface is connected to ISP A (us in this case)
The other outside interface is connected to ISP B (the local telco or cable 
company in this case)

The router is configured so ISP A is the primary Internet link and it pings 
the far side of the WAN connection to determine if the link is up. When the 
primary link is up, all traffic is NAT mapped and sourced from the primary 
WAN IP. If the ping fails, the router changes the NAT mappings to use the 
second link with ISP B and all packets after that point are sourced from 
the second WAN interface IP address. Fail back can be automatic after a 
timer expires or a manual process such as a reboot. I don't really care 
either way, but I do need the failover from ISP A to ISP B to be automatic 
based on interface state, ping, or some other reliable method. I have seen 
some documentation for IOS which enables changing routes based on a ping 
response, but how do I change the NAT mappings as well? A working real 
config or a pointer to a cookbook example would be great! We have Cisco PIX 
boxes doing IPSEC behind these 1721s and 28xx routers at these sites and 
timers set to 1 minute on the PIXes so they will reconnect within a minute 
if the primary link fails. I believe that there HAS to be a way to make a 
Cisco IOS router do something that a $79 consumer router can do! Thanks in 
advance for any assistance!

-Robert

Before anyone suggests another method such as BGP, that won't work. We 
can't provide the secondary link to these locations since they are isolated 
small offices in independent telephone territories or cable is the only 
option as ISP B (and ISP B doesn't speak BGP.) Thanks!



Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

More information about the cisco-nsp mailing list