Hot!VIP with different external ip

Author
Cruz2019
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/05/20 13:59:23
  • Status: offline
2021/02/23 13:29:12 (permalink)
0

VIP with different external ip

Hello,
I hope you can support or guide me if what I intend to do is possible:
I have a web server with the external ip 187.210.xx.xxx and with the mapped ip 172.16.x.xx, as a VIP, I just hired another ISP, and I want to publish this same server with that external ip so that when my main ISP My server is not working, exit through my secondary ISP.

first of all, Thanks.
#1

6 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5976
    • Scores: 402
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: VIP with different external ip 2021/02/23 13:57:42 (permalink)
    0
     
    Q; Are you doing BGP ? 
     
    Q; is the 187.210.x.x/xx advertised to both ISP?
     
    if you answer yes to both then set the vip interface to ANY 
     
    config firewall vip
    edit "VIP-ANY1"
    set mappedip "172.16.1.1"
    set extintf "any"
    next
    end
     
    Then run a "diag debug flow" against the target and monitor.
     
    Ken Felix
    SCTG-MS

    PCNSE 
    NSE 
    StrongSwan  
    #2
    Cruz2019
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/20 13:59:23
    • Status: offline
    Re: VIP with different external ip 2021/02/23 15:21:23 (permalink)
    0
    I do not use bgp, my web server is published only by my main ISP which is 187.210.xx / xx, my intention is to publish it in my second ISP but I do not know how to do it, this in order that when my main ISP fails my secondary ISP take your place automatically so as not to lose the published service,
    #3
    emnoc
    Expert Member
    • Total Posts : 5976
    • Scores: 402
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: VIP with different external ip 2021/02/23 16:59:13 (permalink)
    0
    That would be impossible if your 2nd ISP does not originate the prefix. You could publish 2x VIP one with  x.x.x.x -map-to-server  and y.y.y.y-map-to-server for the webservice services.
     
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #4
    Cruz2019
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/20 13:59:23
    • Status: offline
    Re: VIP with different external ip 2021/02/24 08:10:52 (permalink)
    0
    What are the options I have, to carry out this action, the purpose is to publish my server so that it is available in the 2 ISPs, or if it is possible to do so.
    I have SDWAN for internal connections and I would like to have something similar for external connections, to have high availability
    #5
    emnoc
    Expert Member
    • Total Posts : 5976
    • Scores: 402
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: VIP with different external ip 2021/02/24 09:13:49 (permalink)
    0
    Will if that's the case, you need a 2 vips
     
     
    config firewall vip
        edit "ISP1"
            set extip x.x.x.x
            set extintf "wan1"
            set mappedip "172.16.1.1"
        next
        edit "ISP2"
            set extip y.y.y.y
            set extintf "wan2"
            set mappedip "172.16.1.1"
        next
    end
     
    Put both vips into a vipgrp and place that into a policy. Now here's the kicker you need to test it, with SDWAN it is possible the server might want to route out the wrong interface.
     
    So I would test VIP1 diag sniffer packet wan1 "host x.x.x.x" and confirm two-way traffic. And lastly you would need 2 A records
     
    eg
     
        www.example.com has address x.x.x.x
        www.example.com has address y.y.y.y
     
     
    if you have gslb/gtm you can probably add that to your mix and controlled it by one of these 2 but I'm assuming you do not.
     
    But it's impossible to use one address for both ISP1/2 
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #6
    Cruz2019
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/20 13:59:23
    • Status: offline
    Re: VIP with different external ip 2021/02/24 10:11:29 (permalink)
    0
    The current configuration and with which the VIP is working with my main ISP or WAN 1 is the following:
    I have the following VIP configured:
    Name: SRV-MyCompany
    Interface: WAN1
    External IP ddress / range: 187.210.xxx.xx
    Mapped IP address / range: 172.16.1.xx

    And the Policy
    Name: VIP-Myserver
    Incoming Interface: SDWAN (All my ISP)
    Outgoing Interface: Local Network
    Source: All
    Destination: SRV-MyCompany

    With this configuration it worked perfectly, both for internal and external connections, I already have another ISP added to my Forigate "WAN2", I want the server that I have published in "WAN1" to also publish in "WAN2" because every time my WAN1 goes down, all connections to my server are lost, this issue is somewhat complex for me because I do not fully master it.
    I don't kno
    [image]C:\Users\cperez\Pictures\FTG300E\VIP\1.png[/image]
    w how to do these configurations, if I have to create another VIP, which IP's it should carry or if something additional is required.
    It is worth mentioning that my main ISP gives me 8 public IP addresses, but the second one only gives me one.
    #7
    Jump to:
    © 2021 APG vNext Commercial Version 5.5