Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 1800 and WAN Failover

Status
Not open for further replies.

beatdown

Technical User
Feb 27, 2005
85
US
Our company is using a Cisco 1841 router, and a Watchguard Firewall. We have a T1 line that connects to the Cisco 1841, and then the router is connected to the External interface of the firewall. The router config is very basic, just a default route...NAT is done in the firewall.

Due to ongoing issues with reliability of the local loop wiring, we are getting a second T1 line from a different (wireless) ISP. The wireless T1 is an ethernet connection, so it can be hooked up to an ethernet interface on the router.

My question is how can I set everything up for failover...so if the main T1 goes down, everything gets routed in/out the second T1 line.

Basically, I'm pretty confused about how all this will work, so any advice would be greatly appreciated.

Thanks!
 
Easy Failover: add a higher metric to the default route on the 2nd line (wireless)

ip route 0.0.0.0 0.0.0.0 (t1 interface) (other side of t1 interface)
ip route 0.0.0.0 0.0.0.0 (wireless int) 50
 
Thanks for your reply.

One thing I'm still confused about; would I need to do anything to the Ethernet interface on the router that is connected to the firewall? Right now, Interface E/0 has one of the public IP Addresses from my block of 30, as does the External interface on the Firewall. Since the 2nd ISP will assign me a different block of IP's, will I need to assign the E0 interface a second IP, from the 2nd ISP's block.

I guess I don't understand how routing to/from the routers E0 Interface and the Firewalls External interface will work during failover. On the firewall you can only configure one default gateway address.

Thanks again for the help.
 
Yep, that is a problem. Since your firewall external Interface is assigned a public IP from ONE of your providers, you will always be sending packets with that Source IP. The public Internet will not have a return path for any packets you send with a destination address that isn't reachable because your T1 is down.

You need to move your NAT to the border router, so it can substitute it's interface IP address as the source IP so it can return to the same interface it was sent from.


--jeff
 
Thanks Jeff, I see how this would work now.

Of course this leads to a couple other questions...

1) If I do NAT on the border router, can I still use the firewall...I need it for the application layer proxies and filters? I guess I'd just need to reconfigure it using only private IP's?

2) I have VPN links to branch offices that go from Firewall to Firewall, so does that mean I'd have to also run VPN from the router, since thats where NAT would be now? From what I understand NAT and VPN tunnels have to be on the same box?

3) I host an email server and a web server, so I'd need to make sure people on the internet could still get to these servers, after failing over to the other ISP and the associated IP block. A secondary MX record and DDNS will provide name resolution, but can I have two entries in NAT for each server...one entry associating the servers private IP with a public IP from the 1st ISP, and a second entry associating the servers private IP with a public IP from the 2nd ISP? Would this work?

Thanks again for the help!
 
This can get complicated. More info needed.
1) Do you have static IPs on all ISP connections at the main site and all branch offices?
2) Are the tunnels initiated by either end in each of the site to site tunnels or is only one of the endpoints responsible in any of them?
3) Are condiditions such that you can do a manual switchover or is so bad that it has to be automatic?
4) Do any of your applications have trouble with double NAT?
5) Are the other routers same as the main office?

--jeff
 
1) Yes, we have static IP's at all offices.
2) Tunnels can be initiated by either side.
3) We really want it to be automatic
4) No
5) Some branch offices also have a Cisco 1841, but some have 2600 series routers. But upgrading all offices to an 1841 would not be a problem.

Thanks again for the help, it's very appreciated.
 
You're in pretty good shape then. I would try two indepent IPSec tunnels to each of your WAN interfaces facing your two different ISPs from each remote site. Then run GRE tunnels over the IPSec tunnels and then you can OSPF or EIGRP to maintain your routing tables so your remote offices can choose which GRE tunnel to use. You might be able to do it with static routes but use a higher metric on your less preferred route.

--jeff
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top