For the layout depicted in the following diagram, we will make the
config changes as noted. It has a few assumptions that make it a bit
interesting:
conf t route inside 10.33.0.0 255.255.0.0 10.33.16.14 end Where:
To Trunk or not to Trunk:A normal interface would look like the following:int Gi0/3 des office networks nameif inside security-level 90 ip address 10.33.16.1 255.255.255.240 standby 10.33.16.2 no shut ! The same interface over a tagged network would look as such:
int Gi0/3 .16 des office networks vlan 16 nameif inside security-level 90 ip address 10.33.16.1 255.255.255.240 standby 10.33.16.2 no shut ! Routing:Routing is a bit tricky, as we have two different public networks to connect to inbound, and two routes outbound. Normally, we would use BGP with dual providers, and then routing would be a snap, since we would keep one set of IP's and advertise them out either route. This technique is a bit more hackery, but will work the same (ish).Inbound Routing:We have two internal servers (10.33.128.10-11) that need to be connected to from the outside.The base config above will take care of the routing, and the internal NAT/PATing will take care of the nat statements (getting it from the public to private ips). The other challange is that fact that you now have two public IP's for each of the servers, since we have two carriers, and they both are providing us different IP's. To get traffic to the servers, we need to use some kind of global load balancing, where we use DNS to send traffic through either the primary wan link, or if it goes down, then to the secondary link. Outbound Routing:Outbound routing is a bit tricky, as there are two paths and knowing which links are up is difficult. If the interface is up on the firewall, by default, it will assume that routes to the remote IP is up and good as well.To get around this problem, we use the "sla monitor" process which will actively monitor an IP (local or remote) and if it is unreachable, will use a different route. ! route dmz1 0.0.0.0 0.0.0.0 32.41.23.9 1 track 1 route dmz2 0.0.0.0 0.0.0.0 69.39.78.249 100 ! sla monitor 7 type echo protocol ipIcmpEcho 32.41.23.9 interface dmz1 num-packets 3 frequency 10 sla monitor schedule 7 life forever start-time now track 1 rtr 7 reachability ! Where:
Outbound PATting will still be needed to get the traffic through the firewall, and that is explained below. |