Connecting 2 ISP on Cisco Router

[dd2775]

Hi,

We have the following
1) 2 different ISP's
2) 1 cisco 2800 router with 2 FastEthernet ports
3) 2 Firewalls

The first ISP is used for VPN tunnels and the second ISP is used for browsing and other access. Now if i connect both the ISP's to the same cisco i.e. 1 ISP to FE0/0 and 2nd ISP to FE0/1 router how can i router the traffic i.e all traffic coming from 1 Firewall say 203.199.XXX.XXX has to go to the 1st Link and all traffic comming from 2 Firewall say 210.212.XXX.XXX has to go thru 2 ISP link.

Can anyone help me out.

Thanks and Regards.

 

[burtsbees]

I don't think you need to---it would be the firewall's job to establish the connection, thus setting up the routing. They are used for 2 different things so you should be good as is.

Burt

 

[burtsbees]

Actually, why have the router in the first place? Won't your firewalls provide LAN connections as well?

Burt

 

[VinceWhirlwind]

Need to do some design...

With only 2 ethernet ports on the router, it's not immediately apparent how to connect what sounds like at least 3 distinct networks.

 

[burtsbees]

Exactly. Like I said, one firewall for one ISP, the other for the second ISP. The router with what you want is useless.

Burt

 

[VinceWhirlwind]

OK, so say he has a LAN switch with both firewalls patched to it.
If the firewalls are the only Routing devices on the LAN, (and assuming one of them is the DG for the LAN) then each firewall can have routes pointing at the other for specific subnets, depending on the policies hinted at by the OP.

What if the VPN traffic isn't tied to any specific subnets?

He will need some policy-based routing to route based on protocol.

Can his firewalls provide that? Very unlikely, so perhaps this is where the router can come in.

Not easy to give an opinion when so much more info needs to be collected and analysed before a design can be suggested.

 

[burtsbees]

The VPN subnet can be either in the same subnet as the LAN (one of them) so long as the pool is not NATted back out, or it can be a different subnet. If it is a different subnet, the firewall would already know how to route it since it would be directly connected. I am not clear on why the user would need policy based routing...
A Cisco ASA can do this without a problem.

Burt

 

[dd2775]

Hi All,

I require the router since i have some system which directly access the Internet and do not pass thru the firewall.
I know that we can terminate the Links on the Firewall but my network design it different.

 

[VinceWhirlwind]

Burt, I see you're assuming his ISP1 was for *incoming* VPN tunnels. I guess that must be what he means, but I always assume the worst.

There's still the matter of the routing by source address, though, which we need to talk him out of...

DD, write down your routing table (by destination), then draw your diagram of how everything physically connects. Things might become clearer.

 

[dd2775]

hi,

Iam attaching the diagram of how it is connected. Now what is want is Firewall-1 traffic should go thru ISP1 and Firewall-2 traffic should go thru ISP2

How do i do it?.

 

[VinceWhirlwind]

Forget about which firewall the traffic is coming *from* - think about which subnets the traffic is going *to*.
Is that possible?

I mean - how do you route stuff to the firewalls in the first place?

 

[dd2775]

i route the trafic from my layer 3. e.g all http traffic goes thru ISP2 and all VPN tunnel traffic goes thru ISP1.

 

[VinceWhirlwind]

If that is the exact information you are basing your routing decisions on, you will need policy-based routing.

Normally, you would route it by destination subnet.

You haven't answered the question: how do you route the traffic to the firewalls, from the LAN?

 

[dd2775]

From the LAN i route traffic using my L3 switch.

e.g i have 2 VLAN say 192.168.1.X and second 192.168.2.X. For the first VLAN i have defined the Gateway IP of the FW1 and for second VLAN i have defined the Gateway IP of FW2.

 

[VinceWhirlwind]

It's already been suggested that you connect the FW1 directly to ISP1 without using the router.

I suppose the router will have a 0.0.0.0 route pointing at ISP2.
Add in a route for the subnet(s) through ISP1 - do you know what they are?

 

[burtsbees]

Vince

"Burt, I see you're assuming his ISP1 was for *incoming* VPN tunnels. I guess that must be what he means, but I always assume the worst."

Yes---but I see what you meant as well. That is a very different way of doing things...of course one cannot have a router with only two interfaces with two incoming networks and one outgoing, like you said, "three distinct networks". Hence my assumption, as I figured the user knew this.

dd2775---normally, a user might put one firewall to handle all connections, or a router at the edge to handle both ISP connections, and then hand off both networks to a firewall. This can be done by handing the connections off to a firewall either by two egress ports or one, depending on whether or not the user wants the second link to be strictly backup (sometimes backup vpn links).

Cheers!

Burt