Policy Based Routing example: route one subnet via ISP A and another via ISP B

Goal

Setup a network with a Cisco router that routes one local subnet via internet connection A and another local subnet via internet connection B.

In this example we’ll use one LAN side, which has two subnets:

  • 192.168.1.0/24
  • 192.168.2.0/24

We want traffic destined for the internet, originating from the 192.168.1.0/24 network, to be sent to ISP A, which is connected to FastEthernet0

We want traffic destined for the internet, originating from the 192.168.2.0/24 network, to be sent to ISP B, which is connected to FastEthernet1

Both internet connections get their IP address via DHCP.

Prerequisites

For this  configuration you’ll need:

  • One dual WAN router, such as a 1811
  • Two internet connections (or simulated ones)
  • 2 nodes, one for the 192.168.1.0/24 subnet and one for the 192.168.2.0/24 subnet. These can be two different computers, or two virtual machines, etc…
    • ClientA, Windows 7, will connect to 192.168.1.0/24 and surf the net using ISP A
    • ClientB, Windows XP, will connect to 192.168.2.0/24 and surf the net using ISP B

Configure the router

Let’s start by defining our WAN interfaces first, which are FastEthernet0 and FastEthernet1 for a Cisco 1811.  Ports FastEthernet2 to 9 are the integrated switch. Both WAN interfaces use DHCP to obtain an IP address.

Setting up the WAN interfaces

r3(config)#interface FastEthernet0
r3(config-if)#ip address dhcp
r3(config-if)#ip nat outside
r3(config-if)#no shutdown
r3(config-if)#interface FastEthernet1
r3(config-if)#ip address dhcp
r3(config-if)#ip nat outside
r3(config-if)#no shutdown
r3(config-if)#exit
r3(config)#

Verifying WAN operation

We can verify our WAN connection by running the following commands and observing their output.

! Display a list of interfaces and their IPv4 addresses
r3#show ip interface brief
Interface     IP-Address    OK? Method Status                Protocol
Async1        unassigned    YES unset  down                  down
FastEthernet0 213.193.228.1 YES DHCP   up                    up
FastEthernet1 88.9.5.1      YES DHCP   up                    up
FastEthernet2 unassigned    YES unset  up                    up
FastEthernet3 unassigned    YES unset  up                    down
FastEthernet4 unassigned    YES unset  up                    down
FastEthernet5 unassigned    YES unset  up                    down
FastEthernet6 unassigned    YES unset  up                    down
FastEthernet7 unassigned    YES unset  up                    down
FastEthernet8 unassigned    YES unset  up                    down
FastEthernet9 unassigned    YES unset  up                    down
NVI0          unassigned    YES unset  administratively down down
Vlan1         192.168.1.254 YES NVRAM  up                    up
r3#! Display IPv4 routes
r3#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 213.193.228.254 to network 0.0.0.0

S*    0.0.0.0/0 [254/0] via 213.193.228.254
                [254/0] via 88.9.5.254
      88.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        88.9.5.0/24 is directly connected, FastEthernet1
L        88.9.5.1/32 is directly connected, FastEthernet1
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Vlan1
L        192.168.1.254/32 is directly connected, Vlan1
      192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.2.0/24 is directly connected, Vlan1
L        192.168.2.254/32 is directly connected, Vlan1
      213.193.228.0/24 is variably subnetted, 2 subnets, 2 masks
C        213.193.228.0/24 is directly connected, FastEthernet0
L        213.193.228.1/32 is directly connected, FastEthernet0
r3#! Ping ISP A's gateway
r3#ping 213.193.228.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 213.193.228.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r3#! Ping ISP B's gateway 
r3#ping 88.9.5.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 88.9.5.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
r3#! Ping known-to-reply-to-ping address on the internet 
r3#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms
r3#

Setting up the local network

We’re going to keep this simple. As described we have two internal IP ranges, we’ll assign an IP address to Vlan1 for each of the IP ranges. Of course this scenario is of little use in the real world, you would probably have two VLAN’s, etc… However, this is just a theory of operations exercise, we’ll just configure the computers connecting to the router manually.

r3(config)#interface Vlan1
r3(config-if)#ip address 192.168.1.254 255.255.255.0
r3(config-if)#ip address 192.168.2.254 255.255.255.0 secondary
r3(config-if)#ip nat inside
r3(config-if)#no shutdown
r3(config-if)#exit
r3(config)#

Verifying local network operation

Once we’ve configured the Vlan1 interface, we can check again with show ip interface that we have correctly configured the respective interface:

r3#show ip interface Vlan1

Now we configure our client machines. We will statically configure:

  • ClientA with IP address 192.168.1.5
  • ClientB with IP address 192.168.2.5

After applying the  network configuration, verify that we can ping the routers.

Configuring NAT

We configure two access-lists:

  • One for the 192.168.1.0/24 that should get translated to FastEthernet0’s IP address
  • One for the 192.168.2.0/24 that should get translated to FastEthernet1’s IP address
r3(config)#ip access-list standard 1
r3(config-std-nacl)#permit 192.168.1.0 0.0.0.255
r3(config-std-nacl)#exit
r3(config)#ip access-list standard 2
r3(config-std-nacl)#permit 192.168.2.0 0.0.0.255
r3(config-std-nacl)#exit
r3(config)#
r3(config)#ip nat inside source list 1 interface FastEthernet0 overload
r3(config)#ip nat inside source list 2 interface FastEthernet1 overload
r3(config)#

Basically what we’re telling here is that, when the packet’s source address gets translated, it should get the source address of the interface as specified. Thus, when packets from 192.168.1.0/24 get NAT’ed, they get the source IP of FastEthernet0. When packets from 192.168.2.0/24 get NAT’ed, they get the source IP of FastEthernet1.

Now, when the packets have their correct source address, that doesn’t mean they automatically fly out the right interface. We need to explicitly define that any packets for the interface from 192.168.1.0/24 must go via FastEthernet0 and from 192.168.2.0/24 via FastEthernet1. We do this with a route map.

Building the route-map

Using a route-map we can build policy based  routing. A route map can have several entries, and each entry can have any number of match & set statements. If an entry doesn’t match, the router continues evaluating the route map until it finds an entry that does. When the router finds an entry that does match, it does whatever you say it should do with the set statements.

Matching

The match statements describe on which traffic we should act. In this scenario we have two distinct types of traffic: that for ISP A and that for ISP B. So we’ll need to define two route map entries: one matching the traffic destined for ISP A and one matching the traffic destined for ISP B.

We will do the matching with an access-list. We have two different subnets we want to match, 192.168.1.0/24 and 192.168.2.0/24. But, if you remember correctly, we already have two access-lists matching those exacts subnets (ip access-list 1 & 2). So we’re going to re-use those.

Setting

The set statements describe what should happen on the traffic that matches. Again, we have two distinct types of traffic, that for ISP A and that for ISP B. When we’ve correctly matched the traffic we want, we have to set something, namely, what to do with it. The first route-map entry (matching traffic for ISP A) should make the router send the traffic to FastEthernet0. The second entry (matching traffic for ISP B) should make the router send the traffic to FastEthernet1.

Show me the money

We will call our route-map “ISPSelect”. (IOS calls it a tag).

! Create the first entry in our new route-map called "ISPSelect"
r3(config)#route-map ISPSelect permit 10
! Match the traffic from 192.168.1.0/24 with access-list 1
r3(config-route-map)#match ip address 1
! Set the interface the traffic should go to, to FastEthernet0
r3(config-route-map)#set interface FastEthernet0
r3(config-route-map)#exit

! Create the second entry in our route-map called "ISPSelect"
r3(config)#route-map ISPSelect permit 20
! Match the traffic from 192.168.2.0/24 with access-list 2
r3(config-route-map)#match ip address 2
! Set the interface the traffic should go to, to FastEthernet1
r3(config-route-map)#set interface FastEthernet1
r3(config-route-map)#exit
r3(config)#

Verifying route-map configuration

r3#show route-map ISPSelect
route-map ISPSelect, permit, sequence 10
 Match clauses:
 ip address (access-lists): 1
 Set clauses:
 interface FastEthernet0
 Policy routing matches: 0 packets, 0 bytes
route-map ISPSelect, permit, sequence 20
 Match clauses:
 ip address (access-lists): 2
 Set clauses:
 interface FastEthernet1
 Policy routing matches: 0 packets, 0 bytes
r3#

Applying the route-map

Now where do we apply this route-map? Let’s take the following rule into account:

Packets are first routed, then NAT’ed.

Since we’re talking about a route-map, the route-map influences what happens when the router routes the packets. So we have to apply this map to the interface where the packets are coming in. In this case, this is Vlan1. Using the ip policy route-map statement in the interface configuration, we can define which route-map we want to use there:

r3(config)#interface Vlan 1
r3(config-if)#ip policy route-map ISPSelect
r3(config-if)#exit
r3(config)#

Verifying route-map application

r3#show ip interface Vlan 1
Vlan1 is up, line protocol is up
 Internet address is 192.168.1.254/24
 Broadcast address is 255.255.255.255
 Address determined by non-volatile memory
 MTU is 1500 bytes
 Helper address is not set
 Directed broadcast forwarding is disabled
 Secondary address 192.168.2.254/24
 Outgoing access list is not set
 Inbound access list is not set
 Proxy ARP is disabled
 Local Proxy ARP is disabled
 Security level is default
 Split horizon is enabled
 ICMP redirects are always sent
 ICMP unreachables are always sent
 ICMP mask replies are never sent
 IP fast switching is enabled
 IP fast switching on the same interface is disabled
 IP Flow switching is disabled
 IP CEF switching is enabled
 IP CEF switching turbo vector
 IP Null turbo vector
 IP multicast fast switching is enabled
 IP multicast distributed fast switching is disabled
 IP route-cache flags are Fast, CEF
 Router Discovery is disabled
 IP output packet accounting is disabled
 IP access violation accounting is disabled
 TCP/IP header compression is disabled
 RTP/IP header compression is disabled
 Policy routing is enabled, using route map ISPSelect
 Network address translation is enabled, interface in domain inside
 BGP Policy Mapping is disabled
 Input features: Stateful Inspection, Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, Policy Routing, MCI Check
 Output features: NAT Inside, Stateful Inspection, NAT ALG proxy
 WCCP Redirect outbound is disabled
 WCCP Redirect inbound is disabled
 WCCP Redirect exclude is disabled
r3#

Testing

Right now you should be able to surf the internet from both subnets. Let’s verify traffic from our subnets are really following the right path. Let’s start by doing a traceroute. I’m going to trace the path to 8.8.8.8 and I’ll be using the -d switch to tracert to not do a reverse lookup on the IP addresses.

Doing a traceroute

Note the second hop.

Result on Windows 7, 192.168.1.0/24 subnet:

Result on Windows XP, 192.168.2.0/24 subnet:

A successful result is when packets from the Windows 7 computer get routed via 213.193.228.254, which is ISP A’s gateway and packets from the Windows XP computer get routed via 88.9.5.254, which is ISP B’s gateway.

Checking the NAT translation table

Further verification, check the NAT translation table on the router using show ip nat translations command. I’ll be pinging 8.8.8.8 from both the Windows 7 and the Windows XP workstation, which will create exactly two NAT entries in the translation table: one from the Windows 7 PC to 8.8.8.8 using ISP A and one from the Windows XP PC to 8.8.8.8 using ISP B.

r3#show ip nat translations
Pro  Inside global   Inside local    Outside local  Outside global
icmp 213.193.228.1:1 192.168.1.5:1   8.8.8.8:1      8.8.8.8:1
icmp 88.9.5.1:512  192.168.2.5:512 8.8.8.8:512    8.8.8.8:512
r3#

Further testing

You can do a packet capture between the router and the ISP’s modems.

You can pull the cables for the internet connections and check which subnets can still reach the internet.

Full configuration

!
! Last configuration change at 11:52:02 UTC Sat Jan 28 2012
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
crypto pki token default removal timeout 0
!
!
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1811/K9 sn CENSORED
!
!
!
!
!
!
!
!
!
interface Multilink1
 no ip address
 ppp multilink
 ppp multilink group 1
!
interface FastEthernet0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 ip address 192.168.2.254 255.255.255.0 secondary
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map ISPSelect
!
interface Async1
 no ip address
 encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source list 2 interface FastEthernet1 overload
!
logging esm config
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
!
!
!
!
route-map ISPSelect permit 10
 match ip address 1
 set interface FastEthernet0
!
route-map ISPSelect permit 20
 match ip address 2
 set interface FastEthernet1
!
!
!
control-plane
!
!
!
line con 0
 speed 115200
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 login
 transport input all
!
end
Advertisements

13 thoughts on “Policy Based Routing example: route one subnet via ISP A and another via ISP B

  1. Thanks for this post!! I have a question though – Can you use the same route-maps in combination with static NATs (for servers), and dynamic NATs (for desktops) and double NATs (for servers) in a failover setup; In a case where you have nodes that are assigned static public IP Addresses for both ISPs, and you want to route the traffic through ISPA but in the event of ISPA failure the server will route through ISPB with a static IP from ISPB subnet. Do you some configuration tips for that scenario.

    Thanks

  2. i tried this config with local ip address 10.4.1.1 255.255.0.0 with dhcp enable…
    and i use one access list… access-list 1 permit 10.4.0.0 0.0.255.255
    When i try to open any webpage like google or facebook. The browser keeps on spinning and then just reset the connection. It looks like the router doesn’t know where to send the traffic or something. Can you help you resolve it or i have to use two access list with two different subnet ip address. Please help… and thank you for the awesome post….

  3. Hi Glenn here is my router config….

    If you look at the iproute i put one with default metric and the other 5.
    If i use default metric 1 on both the route the router doesn’t seems to kno where to send the traffic and if a open any browser it keeps on spining

    Building configuration…

    Current configuration : 6105 bytes
    !
    ! Last configuration change at 17:26:20 UTC Mon Mar 3 2014 by routadmin
    version 15.2
    service timestamps debug datetime localtime
    service timestamps log datetime localtime
    service password-encryption
    !
    hostname R
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no logging buffered
    !
    no aaa new-model
    !
    !
    crypto pki trustpoint TP-self-signed-12065
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-12065
    revocation-check none
    rsakeypair TP-self-signed-12065
    !
    !
    crypto pki certificate chain TP-self-signed-12065
    certificate self-signed 01
    3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31323036 35333536 3034301E 170D3134 30333033 31353132
    35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32303635
    33353630 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100A552 640E41CD 84B86CC4 FC4F16BD 984466CC 685A4FA4 D48EADAE E2D4457B
    7655C47B 7E39C116 7FA44923 2D659E4D FB4327AA 2FDE5002 8843D244 3DCD4DA6
    5ADD94D3 837C9726 E898D64A 2AAC1BA6 7C555B76 802AB4AA 282C842E 4EBE2B39
    128764FA 304BACC4 B092C448 9C9F19B6 937A65F7 C3A98E60 CAAE8A98 35874FEF
    34B10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
    551D2304 18301680 143315C3 FB195072 BFECE3FB 246FAF98 6F154277 E1301D06
    03551D0E 04160414 3315C3FB 195072BF ECE3FB24 6FAF986F 154277E1 300D0609
    2A864886 F70D0101 05050003 81810022 013045EA 93BF72B2 879614B8 24FD319C
    quit
    ip cef
    !
    !
    !
    !

    !
    !
    ip dhcp pool dhcp
    import all
    network 10.4.0.0 255.255.0.0
    domain-name something
    default-router 10.4.1.1
    dns-server 8.8.8.8 8.8.4.4
    !
    !
    !
    no ipv6 cef
    !
    multilink bundle-name authenticated
    clns routing
    !
    vpdn enable
    !
    !
    license udi pid CISCO2951/K9 sn FGL180uy33
    !
    !
    username admin privilege 15 secret 4 zYw1b9r9LHtZ4GvxSg91tLs
    !
    redundancy
    !
    !
    !
    !
    !
    !
    track 10 ip sla 1 reachability
    !
    track 20 ip sla 2 reachability
    !
    class-map type inspect match-any All_Protocols
    match protocol tcp
    match protocol udp
    match protocol icmp
    match protocol dbase
    match protocol dns
    match protocol echo
    match protocol exec
    match protocol ftp
    match protocol ftps
    match protocol h225ras
    match protocol h323
    match protocol h323-annexe
    match protocol h323-nxg
    match protocol http
    match protocol https
    match protocol ipass
    match protocol ipsec-msft
    match protocol isakmp
    match protocol l2tp
    match protocol ldap
    match protocol ldap-admin
    match protocol ldaps
    match protocol mgcp
    match protocol mysql
    match protocol netbios-dgm
    match protocol netbios-ns
    match protocol netbios-ssn
    match protocol netshow
    match protocol netstat
    match protocol pop3
    match protocol pop3s
    match protocol pptp
    match protocol rtsp
    match protocol sip
    match protocol sip-tls
    match protocol skinny
    match protocol smtp
    match protocol sql-net
    match protocol sqlserv
    match protocol sqlsrv
    match protocol stun
    match protocol sunrpc
    match protocol sxp
    match protocol wins
    match protocol x11
    !
    policy-map type inspect inside_to_internet
    class type inspect All_Protocols
    inspect
    class class-default
    drop
    policy-map type inspect inside
    class class-default
    pass
    !
    zone security inside
    description inside
    zone security internet
    description internet
    zone-pair security inside_to_internet source inside destination internet
    description inside_to_internet
    service-policy type inspect inside_to_internet
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface Embedded-Service-Engine0/0
    no ip address
    shutdown
    !
    interface GigabitEthernet0/0
    description $ETH-WAN$
    ip address 1.1.1.1 255.255.255.224
    ip nbar protocol-discovery
    ip flow ingress
    ip flow egress
    ip nat outside
    ip virtual-reassembly in
    zone-member security internet
    duplex full
    speed 1000
    !
    interface GigabitEthernet0/1
    description $ETH-WAN$
    ip address 2.2.2.2 255.255.255.192
    ip nbar protocol-discovery
    ip flow ingress
    ip flow egress
    ip nat outside
    ip virtual-reassembly in
    zone-member security internet
    duplex auto
    speed auto
    media-type rj45
    !
    interface GigabitEthernet0/2
    description $ETH-LAN$
    ip address 10.4.1.1 255.255.0.0
    ip nbar protocol-discovery
    ip flow ingress
    ip flow egress
    ip nat inside
    ip virtual-reassembly in
    zone-member security inside
    duplex full
    speed auto
    !
    !
    ip forward-protocol nd
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    ip nat inside source route-map AIRTEL interface GigabitEthernet0/0 overload
    ip nat inside source route-map TATA interface GigabitEthernet0/1 overload
    ip route 0.0.0.0 0.0.0.0 182.72.27.1 track 10
    ip route 0.0.0.0 0.0.0.0 115.111.6.193 5 track 20
    !
    ip sla auto discovery
    ip sla 1
    icmp-echo 182.72.27.1 source-interface GigabitEthernet0/0
    threshold 2
    timeout 300
    frequency 3
    ip sla schedule 1 life forever start-time now
    ip sla 2
    icmp-echo 115.111.6.193 source-interface GigabitEthernet0/1
    threshold 2
    timeout 500
    frequency 3
    ip sla schedule 2 life forever start-time now
    access-list 101 permit ip 10.4.0.0 0.0.255.255 any
    !
    route-map TATA permit 10
    match ip address 101
    match interface GigabitEthernet0/1
    !
    route-map AIRTEL permit 10
    match ip address 101
    match interface GigabitEthernet0/0
    !
    !
    !
    control-plane
    !
    !
    !
    line con 0
    line aux 0
    line 2
    no activation-character
    no exec
    transport preferred none
    transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
    stopbits 1
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    line vty 5 15
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler allocate 20000 1000
    !
    end

  4. Excellent write up, this helped me a lot. Thanks!

    1 error I found:
    ! Create the second entry in our route-map called “ISPSelect”
    r3(config)#route-map test1 permit 20

    I believe you mean it should be r3(config)#route-map ISPSelect permit 20

    Also, I was looking at your full config, is it normal that you don’t have any default route (0.0.0.0 0.0.0.0 x.x.x.x)?

  5. Queastion, if the ISP/s are not giving DHCP addresses should we set the default routes manually. e.g.?


    ip route 0.0.0.0 0.0.0.0 gw-ISP1
    ip route 0.0.0.0 0.0.0.0 gw-ISP2

  6. Dear All,

    Now i am trying to find an solution for this network structure

    Aim: To host an webserver

    Products used : HP Blade Server, Cisco 2960 Switch, Cisco ASA Firewall 5500, Cisco Router 1900

    Connectivity : Static ip with Leased line from one ISP (8 IP’s with 6 usable)

    Setup: Server –>Switch–>Firewall–>Router–>ISP———–ISP–>ADSL Router–>User

    Server : 192.168.20.10/24

    Switch : 192.168.20.2/24

    Firewall : 192.168.10.2/24 (router end) and 192.168.20.1/24(switch end)

    Router : 192.168.10.1/24 (firewall end) and 11.11.11.12(serial) (WAN IP)

    Default gateway for Router : 11.11.11.11 (Wan ip gateway)

    Usable public LAN ip : 20.12.1.1-20.12.1.8

    Like to host the server using one of the public lan ip natted with the server

    If anyone know how to configure this kindly give ur suggestion and configuration details..

    I have only one week time to do this..

    Kindly assisst me

    Thanks and regards

    Balamurugan

  7. Mr. Matthys:
    I foud your article very precise and didactic. I have a problem with my ISP, I need several subnets of valid IP addresses for telemetry purposes and they need to use public IP addresses. I’ve got a 64 IP address block whic I statically subnet toward my several serial ingterfaces. My old ISP provided me with an interface IP so routing was as simple as it can be, The new ISP assigned me the 64 ip block but, the cable modem uses the whole subnet in the ethernet port with the highest IP as gateway… they assumed my hosts are on the same ethernet segment, They won’t allow a static route to send the block to my cisco 7200 router so I am facing to use the /30 mask and sacrifice those 4 IP plus how do I route the subnets to a subnet with all the hosts i it?
    my email address is

  8. Tks for the article sir! It was very usefull!

    If you allow me, let me ask you something more:
    Is it possble to set different DNS addresses for those 2 ISP ?

    Thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s