Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need Help with 2 T1's into 1721 Router into PIX Firewall!!!

Status
Not open for further replies.

peralesa

IS-IT--Management
Jun 16, 2005
6
US
I need some help with a network that I have inherited and requires some changing. At this time I now have 2
T1's coming to my site. I have put both circuits onto one 1721 router with 2 WIC Cards. Each interface is configured for each ISP T1. And each have their own public block.

Right now from the 1721 router I can ping to each of the ISP's remote ip addresses. My problem starts with the PIX. On the outside interface it is currently configured with a public ip of from the first block of ip's from the first T1. That is being used to host internal clients and servers for internet access. The second block of public ip's are not even being used and as far as I can tell the second T1 is not really being used either because there are not translation for the second T1 on the PIX.

What I need to do is some reconfiguring for the router to use both T1's and also for the PIX to use both T1's as well. How do I go about configuring my outside interface on the PIX to do this, and how do I finish configuring my router to support using both the T1's? Below is a link to my network diagram and my router config...Thanks in advance


Config below:

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname mclgrp
!
enable password XXXXXXXXX
!
clock timezone cst -6
clock summer-time cdt recurring
ip subnet-zero
!
!
ip name-server 151.164.85.201
ip name-server 151.164.1.8
ip name-server 151.164.20.201
!
!
!
!
!
interface FastEthernet0
description TO LOCAL LAN
ip address 68.88.99.137 255.255.255.248
speed auto
!
interface Serial0
description SBIS CKT 45.HCGM.006702..SUV/SBIS 1-888-212-5411
no ip address
encapsulation frame-relay IETF
fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
ip address 151.164.86.86 255.255.255.252
frame-relay interface-dlci 16
!
interface Serial1
description SBIS CKT 45.HCGM.01097..SUV/SBCIS Tech Support:866-937-3664
no ip a
encapsulation frame-relay IETF
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial1.657 point-to-point
ip address 151.164.86.182 255.255.255.252
frame-relay interface-dlci 657
!
ip classless
ip route 0.0.0.0 0.0.0.0 151.164.86.85
ip route 0.0.0.0 0.0.0.0 151.164.86.181
no ip http server
!
!
line con 0
password 10cfwt19
login
line aux 0
transport input all
flowcontrol hardware
line vty 0 4
password XXXXXXXXXX
login
!
no scheduler allocate
sntp server 151.164.0.163
!
end
 
Are you using 2 different ISPs or same ISP? Cos the WAN IP blocks look like they're from the same ISP...

If same ISP, try MPPP and bond the 2 T1 together (provided that your ISP support MPPP).

If different ISPs, then you need some tricks on both PIX and router:

Say Host 1 - 3 use ISP 1, Host 4 - 6 use ISP 2, and currently your PIX is doing NAT for Host 1 - 6...

On PIX: use ACL to define host 4 - 6 and set no NAT for them or NAT 0 or whatever

On Router: only set 1 default to ISP 1, and set NAT for host 4 - 6 using new public IP block from ISP 2. Then set policy-based routing so that:

route-map 2ISP permit 10
match ip address <ACL for host 4 - 6>
set ip next-hop <ISP 2 gateway>
route-map 2ISP permit 20

Host 4 - 6 will use ISP2 as next hop, while all other traffics will use ISP1 which you use static default route to define.
 
To answer your questions -

Same ISP but different public network blocks, and I want to you one set the 68.xxx.xxx.xxx for my DMZ address translations and the second set the 70.xxx.xxx.xxx for my inside network translations.

ISP will not support MPPP unless I reconfig my T1's on their side and that will cost me more money.

Ok, all that makes some sense, but now I have another question...

Can I change the ip addressing between the outside PIX interface and the inside router interface to a private IP? if so will the router still know where to send requests for both the public blocks that are on my PIX?
 
You have two options with this.....
Enable Cisco Express Forwarding for load balancing (for which you already have the needed equal cost paths)or use multilink ppp and bond the two connections together so long as your telco supports that. Should not need to do anything with the PIX as the router controls how traffic as parsed out. Pix should just be set to use the 1721 as the default next hop.

See link for CEF


Make sure to monitor the CPU activity prior to and after any change of this nature to insure the router can handle the modification

"show process cpu history"

I would start with enable CEF (router#(conf)ip cef
Monitor performance and then proceed from there.
 
So can I change the IP address of the outside interface of the pix and make it a private address and change my default route from my pix to match the routers inside interface and all should router correctly?
 
Hold up....need to re-think this.....
Do each one of the T'1 connections have seperate Public Ip 8 blocks or are they sharing 68.88.99.136/29?
 
That is my problem they are using separate public IP blocks, and I want to use both of them...the 68.xx.xx.xx block would be for my DMZ which I have one to one's configured on my firewall already. And the 70.xx.xx.xx I would like to use for my clients and everything else...

Andres
 
Refer back to Lament post....think he has your answers
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top