You don't want to get into double-nat if you can at all avoid it. Either NAT on the router or on the PIX, but don't do both.
You said in your original post that you didn't want to do redundancy, but in this post you talk about making the server available on either link. Redundancy is a bit harder to achieve than simply making two links work. As Kent said earlier, you could have the PIX perform as a firewall, but not do NAT. The router could then handle NAT and PBR to send traffic down the appropriate pipe. you could then setup DNS to have ftp.company.com resolve to ISPA address (T1) and ftp1.company.com resolve to ISPB address (DSL). In the event of failure, you could instruct clients to try ftp.company.com first and, if it's ever not available, to try ftp1.company.com. At 04:41 PM 6/12/2002 -0400, you wrote: >Will my router know the origin address of traffic even if my pix sits >between. Meaning, will the Pix preserve the origin address. Maybe I can do >one to one nat on pix and than do nat for public address on router? If one >ISP goes down. I can reconfigure my router and Pix to use just one link. I >will also have to tell my ftp users that the ftp servers has a new IP >address, assuming the T1 went down. But actually I would need more than >just two public address to make FTP server available from outside. > >Or should I just do a IOS Firewall and bag the 506?? It's not a heavy >traffic environment. > >I also need to have my users and servers on the same subnet, some >workstations and all servers will have gigabyte nics for fast transfer >between imaging workstations and FTP server. > > >""Craig Columbus"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I deal with this type of thing all the time since almost all of my clients > > are small businesses. The usual reason the small customer wants two > > connections because they've gone with the least cost ISP in the past and > > have been burned by extended outages (anyone remember Bluestar?). > > > > You only need BGP if each of your providers is advertising the same net > > block. If the servers are only using the T1, the clients are only using > > the DSL connection, and there is no load balance or failover, then there's > > no point in BGP. Each ISP is going to route the public IP addresses they > > assigned to you to the 2621. Policy routing would then dictate traffic > > flow. For example, you could assign all traffic with origin 172.16.1.0/24 > > an ip next hop of ISP A, and all traffic with origin 172.16.2.0/24 an ip > > next hop of ISP B. > > > > At 03:11 PM 6/12/2002 -0400, you wrote: > > >No on the traffic utilization graphing. The customer just wants to have >two > > >completely unrelated circuits to the Internet. > > > > > >I wouldn't need BGP if I was making one of ther servers(FTP) available to > > >the outside world? > > > > > >-----Original Message----- > > >From: Craig Columbus [mailto:[EMAIL PROTECTED]] > > >Sent: Wednesday, June 12, 2002 3:11 PM > > >To: Wayne Jang > > >Cc: [EMAIL PROTECTED] > > >Subject: Re: Pix don't route [7:46356] > > > > > > > > >You can't do it with the equipment you originally mentioned. You could, > > >however, put in two PIX 506, one on each ethernet interface of the 2621, > > >and use policy routing on the 2621 to handle the traffic to the two > > >providers. Not the most elegant solution, but it would work. I see no > > >reason to bring BGP into this. > > >Do you really need two circuits? Have you graphed traffic to establish > > >utilization metrics to verify whether a single T1 will suffice? > > > > > >At 02:30 PM 6/12/2002 -0400, you wrote: > > > >I guess I have to plan on using BGP. But can I get away without using > > BGP? > > > >I did plan on bringing both DSL and T1 into the 2621, I ment to say >that > > >the > > > >pix is behind(on the inside). > > > > > > > >Thanks > > > > > > > >""Alex Lei"" wrote in message > > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > Wayne, > > > > > > > > > > Why not use the router to terminate the links, and put the PIX >behind > > >the > > > > > router? The PIX will inspect the traffic, and the router can send > > >traffic > > > >to > > > > > different links depending on where it originated from. Usually a 515 > > may > > > >be > > > > > a better solution because it has a DMZ interface where the server >can > > >sit > > > > > on, but I guess there is a cost concern. > > > > > > > > > > Alex > > > > > > > > > > Wayne Jang wrote: > > > > > > > > > > > > Hi, > > > > > > > > > > > > The Pix don't route, but can I do this? > > > > > > > > > > > > I have a 2 server 20 user small office. > > > > > > > > > > > > I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL > > > > > > link to the > > > > > > Internet. I'm not looking to load balance or even do > > > > > > redundancy. I just > > > > > > want traffic from the servers to use the T1 and I want traffic > > > > > > from the > > > > > > users to use DSL. I could use access-lists on the 2621 to > > > > > > direct the > > > > > > traffic based on source address, but how will the 2621 know > > > > > > where the > > > > > > traffic came from? Won't all traffic have a source address of > > > > > > the Pix > > > > > > outside interface? What if I Nat the servers(on PIx) so that > > > > > > they will > > > > > > appear to have a different source IP than the users who will be > > > > > > behind the > > > > > > global outside address? I'll need more public addresses, but > > > > > > that would be > > > > > > fine. > > > > > > > > > > > > I can't get any help from Cisco Pre-Sales because they aren't > > > > > > sure. I can't > > > > > > get an engineer that knows more than me (not much). > > > > > > > > > > > > My fall back plan is to only use the 2621 and have a firewall > > > > > > IOS. But I > > > > > > would rather use the Pix, especially because we have already > > > > > > quoted the > > > > > > above solution and are working to save face. > > > > > > > > > > > > Thanks > > > > > > > > > > > > -- > > > > > > Wayne Jang > > > > > > Advanced Computer Technologies, Inc. > > > > > > 108 Main Street > > > > > > Norwalk, CT 06851 > > > > > > Wk 203-847-9433 > > > > > > Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46371&t=46356 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
