Two T1's one for incoming and one for outgoing tx

[rocketlauncher]

Hi All,

Hope someone can help me with this one.

We have the following network configuration:

ISP1 Router ISP2 Router
| |
Cisco ASA 5510 Cisco PIX 506
|
Cisco Switch 3560

What we are trying to accomplish is to use ISP1 for all incoming traffic and ISP2 for all outgoing web traffic. The pix and the ASA are on the same subnet as the 3560, and the Catalyst 3560 is the default gateway for all internal hosts and we would like to keep that way if possible. Currently we don't care for load balancing.

So my question is, what would be the best way to accomplish this? I'm sure is doable I just haven't found the way to do it.

I thought it would just be a simple default route change on the 3560 pointing to PIX 506, but I started analyzing some other aspects and I think we might encoutered issues for our services that are avaible from outside, since they will be coming in thru ISP1 and probably go out ISP2. Is this assumption correct?

Any documentation, tips are greatly appreciated.

Thanks a lot!

Rocket.

 

[burtsbees]

What traffic would be incoming if the sessions are not initiated on the inside?

Burt

 

[unclerico]

It's not going to work like you think it will. When you have your traffic going outbound all translations and connection information are going to be on one router/firewall while all incoming traffic will not know where to go. Traffic taking one direction outbound, but a totally different direction inbound is referred to as asynchronous routing and it is not so good. On top of all of that trying to influence your providers routing decisions is another story all together.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[unclerico]

Ok I think I just misread your post. What you are saying is anything initiated from the inside (such as web traffic) can come and go via one connection, but anything that is initiated from teh outside will come and go from a different connection?

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[rocketlauncher]

burtsbees/unclerico thank you for your replies. I really appreciated.

Here are the answers to both your inquiries.

burtsbees: Incoming traffic, which will be initiated from the outside, will be Webmail and VPN coming in thru ISP1.

unclerico: Traffic that is initiated from inside going outbound, such as web traffic, would need to be routed through ISP2.

We pretty much want to use ISP1, to be dedicated for incoming VPN and Webmail traffic initiated from outside and ISP2 will be used for all outgoing traffic initiated from inside.

I'm not quite sure how traffic will flow though, that's were I have my doubts. But I beleive incoming traffic should go out the way it came in, becasue of the routing principles, but again I'm not quite sure, if this would be the case for VPN as well.

I read somehting about route map policies, but I'm not sure this is the way I should go.

Thanks again.

Rocket

 

[burtsbees]

You won't have to have any kind of special config in this case---traffic initiated from the outside will use the IP address of the incoming traffic interface, and hosts that answer the requests that are incoming will already know how to get back to the source. Traffic iniated from the inside simply needs the default route pointing to the other interface. I do think, however, that both should be separate networks.

Burt

 

[burtsbees]

Let me expand on the two separate networks...

It would still work with both in the same subnet, but you are really asking for trouble if you do that! Any user that could hijack a session from one that is iniated on the inside could easily hop to the other interface and ride inside the tunnel to the remote network that initiates the VPN. That's just one example. IP spoofing, MAC spoofing, rerouting attacks---the list goes on. HUGE security risk. You should have the firewalls on the edge of the network facing the WAN, but it looks like you need the routers there for the interfaces, I.E. T1 interface (guessing).

Burt