RE: [fw-wiz] Query regarding Cisco Router

From: manatworkyes moderator (
Date: 09/24/02

From: "manatworkyes moderator" <>
Date: Tue Sep 24 15:07:01 2002

The simple way to do it, is using BGP4 protocol. Yet, in my opinion (from my
own experiance) Cisco 1751 does not have the strength to carry BGP4.
I do not kow if other firewalls can do. Using CheckPoint NG, it ia possible:

using the following connections:

        ISPA ISPB
          \ /
                \ /
              \ /
                \ /
                 \ /

1. All objects will be NATed behind dynamic objects
2 FW external interface, as well as router to firewall interface can use
RFC 1918 based IPs. Verify that there is a route on the router towards the
FW IP address.
3. using the 4 IPs (assuming that this is not a /30 network) you could have
        1 IP to hide the internal network
        3 IPs to allow static NAT for DMZ servers

So how to connect to 2 different ISPs ?
The trick, is to use dynamic objects. modifying the objects is being done
using command lines.

write a script that check the status of your upstream routers (at ISPA and
ISPB), or even some address in the internet (use a relaiable site, like When the link fails, update the dynamic objects (the command
is dynamic_objects ) with the new set of IPs from the second ISP.

Again, in the scenario were incoming traffic is needed, BGP4 is a better


-----Original Message-----
[]On Behalf Of prasad_patkar
Sent: Tuesday, September 24, 2002 8:27 AM
Cc: Rana Waqar;;
Subject: [fw-wiz] Query regarding Cisco Router

Hi all

I have Query regarding ROUTER.
I have 2 different ISP connections 1st DSL Connection (Broadband) & 2nd
2Mpbs Leased Line.
I want to terminate both on router Cisco 1751V and configure it for fail
over i.e fail over of ISP

Router is required to be configured for fail over. I.E if 2Mbps LL fails DSL
will take over & Vice versa.

I have connected Firewall behind it. Firewall has only 3Ports(LAN, WAN, DMZ)
Both ISP have provided 4 Ips. 2 IPs from both ISP are used for DMZ servers
(Mail & Application).
Both ISP are told to put DNS entries of others IP in their DNS Server. (i.e.
DSL will put IP of Leased Line ISP and vice versa).

Firewall cannot have 2 WAN gateways.

Firewall is to be configured for Leased Line ISP provider.

WAN IP of Firewall === IP of Leased Line ISP.
Gateway of Firewall === IP of Leased Line ISP


1) DSL hathway connection will be used only for Internet Access.
2) 2mbps Leased Line ISP will be used only for Remote Office accessing
Application server and Mail being downloaded in Mail Server.
3) E.g. If user wants to access a Internet, then request will be forwarded
by Proxy server if customer has it or it will be directly forwarded to LAN
IP of Firewall which will be in turn forwarded to router. Router has to
forward it to DSL connection. All internet surfing has to be done only
through DSL connection

Can traffic coming from Firewall WAN Port be directed by Router
accordingly. I.e if Http traffic is coming from Firewall to router Router
has to Direct it to Hathway. While all incoming will be coming via Leased
Line ISP.

Can router be configured in such a way that if HTTP request I.e port 80
traffic is coming it can be directed to DSL Connection(BroadBand ).While
incoming HTTP or any other traffic used for accessing internal MAIL SERVER &
Application server has to be only through LEASED LINE ISP.

Only when either fails one of them has to take care of other. I.e if DSL
connection fails then router has to automatical diver all traffic to Leased
Line ISP. And if Leased Line ISP fails it has to direct the traffic to DSL

For achieving this what changes I have to apply in hardware or any request
has to be given to ISP Provider.

Prasad Patkar
Sr Engg-Networking
TELEPHONE:- 2875525-29
firewall-wizards mailing list
MSN Photos is the easiest way to share and print your photos: