Firewalls: Re: Two ISP's to one DMZ

Firewalls
(July 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Two ISP's to one DMZ
From:	mikech @ avana . net
Date:	Mon, 7 Jul 1997 14:18:44 -0500
To:	"Mark Horn [ Net Ops ]" <mhorn @ funb . com>, Paul Ferguson <pferguso @ cisco . com>
Cc:	firewalls @ GreatCircle . COM, marc @ sniff . ct-net . de
References:	<3 . 0 . 3 . 32 . 19970706100857 . 006d037c @ lint . cisco . com> <3 . 0 . 3 . 32 . 19970706230215 . 006b6378 @ lint . cisco . com> <19970707095116 . 62717 @ capmark . funb . com>


------------------------
  From: "Mark Horn [ Net Ops ]" <mhorn @
 funb .
 com>
  Subject: Re: Two ISP's to one DMZ 
  Date: Mon, 7 Jul 1997 09:51:16 -0400 
  To: Paul Ferguson <pferguso @
 cisco .
 com>
  Cc: marc @
 sniff .
 ct-net .
 de, firewalls @
 GreatCircle .
 COM


<Snip!>
> 
> Is BGP the only answer?  We have several ISP's providing service to us.
> We have our own NIC assigned address block, and a NIC assigned AS number.
> We've been trying (for several months) to set up BGP routing between all
> of our providers.  But we've run into trouble.
> 
> One of the providers doesn't want to set up peering with us.  Their claim
> is that you can have redundant ISP's through other methods than setting up
> BGP peering.  When pressed, they've been conspicuously quiet about what
> these other methods are.
> 
> Is there another way to set up redundancy between two ISP's without doing
> BGP peering?
<Snip!>

---------------End of Original Message-----------------

How about this?


                           ________  en1 ______ISP1 with preference of 10
  Internal LAN_______ en0 |Firewall| 
  192.168.X.X             |  NAT   | en2 ______ISP2 with preference of 20
                           --------       
                                     en3 and so on...  with preference of X

Each interface has its own preference so if one drops, another is used for 
outbound service. For inbound service, each interface is remapped with NAT to 
a different IP:

	en1
	192.168.0.3 <-> 108.10.2.4
	192.168.0.4 <-> 108.10.2.5

	en2
	192.168.0.3 <-> 205.245.133.8
	192.168.0.4 <-> 205.245.133.9

	en3
	192.168.0.3 <-> 166.79.10.2
        192.168.0.4 <-> 166.79.10.3

	and so on...	 

If one interface fails or the ISP goes down you just use dynamic-dns to remap 
the Domains to a new IP.

www.domain.com was 108.10.2.4, it now is 205.245.133.8
mail.domain.com was 108.10.2.5, it now is 205.245.133.9

If everything is working correctly, you should be able to reach the web server 
at 108.10.2.4 or 205.245.133.8 or 166.79.10.3 all at the same time.
	
I just wanted to expand upon my previous posting as there was some confusion. 
We have this working at many customer sites. We also have customers using this 
with a back up ISDN link. You can still reach their web and mail servers even 
if all their T1s go down.

Mike
--
14:18:44
07/07/97
_______________________________________________________________________
Michael W. Chalkley                                Tel: +1.770.772.4567
ZapNet! Inc.                                       Fax: +1.770.475.7640
Suite 400-120                                E-mail: mikech @
 iproute .
 com
10945 State Bridge Road                                mikech @
 avana .
 net
Alpharetta, GA 30202                             http://www.iproute.com

References:

Re: Two ISP's to one DMZ
From: Paul Ferguson <pferguso @ cisco . com>
Re: Two ISP's to one DMZ
From: Paul Ferguson <pferguso @ cisco . com>
Re: Two ISP's to one DMZ
From: "Mark Horn [ Net Ops ]" <mhorn @ funb . com>

Indexed By Date	Previous:	Blasting Microsoft... again! From: "Kelly E. Gibbs" <kgibbs @ best . com>
Indexed By Date	Next:	Re: Two ISP's to one DMZ From: Paul Ferguson <pferguso @ cisco . com>
Indexed By Thread	Previous:	Re: Two ISP's to one DMZ From: marc @ sniff . ct-net . de
Indexed By Thread	Next:	Re: Two ISP's to one DMZ From: ping <ping @ tm . net . my>