topic Re: Pix firewall with 3 wan connection ? in Network Security

Pix firewall with 3 wan connection ?

blue4cisco — Fri, 21 Feb 2020 08:55:13 GMT

We have 3 dsl line of 2 mbps each with public ip assigned. I want to go for PIX firewall, Can i use all 3 wan connection simutaneously with PIX firewall, if yes then how. Any alternate thr?. also guide me cheapest pix version to use as firewall with all 3 wan connection.

Thanx in advance

Re: Pix firewall with 3 wan connection ?

a.kiprawih — Tue, 23 May 2006 06:04:35 GMT

Hi,

3 links to ISP is fine, as long as you have enough ports on PIX to host those DSLs.

Try to get at least PIX515E with 4 interfaces (3 for DSLs, 1 for internal network).

By default, it comes with 2 interfaces (inside-Eth1 & outside-Eth0). When you place an order, you can either add *two (2) additional FastEthernet cards or get **1 x 4-Ports FastEthernet card.

By default, PIX515E support max 3 interface with Restricted (R) license. For 4 or more interfaces, you need to get PIX with UnRestricted (UR) software license.

*PIX-1FE : PIX single-port 10/100 Fast Ethernet interface card

**PIX-4FE-66 : PIX 64-bit/66-MHz x 4-port 10/100 Fast Ethernet interface card, RJ45

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b15.html

You can control connectivity/traffic from internal network/user to use any of those DSLs via NAT, Global, static nat, ACL and route.

Configuration Guide:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

Hope this helps.

Rgds,

Re: Pix firewall with 3 wan connection ?

blue4cisco — Tue, 23 May 2006 06:32:02 GMT

is it possible with pix firewall that i plug three different network in 3 ports & Lan user can access any network they wish to ? plz. open attachement.

Re: Pix firewall with 3 wan connection ?

a.kiprawih — Tue, 23 May 2006 08:24:56 GMT

Your design looks simple, but need careful configuration.

You can use NAT & Global command to allow outbound connect, and ACL to restrict outbound access.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172790.html#wp1008082

Example:

Nat (inside) 1 10.10.10.0 255.255.255.0

Global (dsl_line) 1 x.x.x.10-x.x.x.20 netmask 255.255.255.128

Global (net1) 1 y.y.y.40-x.x.x.50 netmask 255.255.255.192

Global (net2) 1 z.z.z.20-z.z.z.30 netmask 255.255.255.224

route outside 0.0.0.0 0.0.0.0 x.x.x.1 1*

route outside 0.0.0.0 0.0.0.0 y.y.y.1 2*

route outside 0.0.0.0 0.0.0.0 z.z.z.1 3*

Note:

*PIX only accept one (1) static route with metric 1 at any time. Therefore, you need to assign priority, e.g link #1 metric 1, link 2 mteric 2 and so on, to the default route to all 3 links. PIX does not have smart routing feature like router.

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#wp1027614

But since all your internal hosts are connected directly to PIX inside interface, and need to use all 3 links to go out anywhere they want, users need to add 3 gateways in their machines, which is not really recommended due to problem with Microsoft. You can always add 2 more IPs as gateway, but host will keep looking/using the 1st gateway in the list.

You cannot use ‘route-map’ in PIX as it is used to redistribute routes from one routing protocol into another, not to specify preferred route.

You probably need to specify specific range of target/external addresses/subnets in the static route to enable internal hosts accessing specific external/internet address via specific link. In this case, you don’t need to specify the metric.

Example:

route outside 198.133.x.x.255.255.255 x.x.x.1 --> accessing http://www.cisco.com via link #1

route outside 66.102.x.x.255.255.255 y.y.y.1 --> accessing http://www.google.com via link #2

route outside 202.71.108.28 255.255.255.255 z.z.z.1 --> accessing http://www.cari.com.my via link #3

One of the best option is to put Router in front of firewall, and use ‘route-map’ feature in router to define which traffic goes to which link. All 3 links need to be hooked to this router.

Rgds,

Re: Pix firewall with 3 wan connection ?

blue4cisco — Tue, 23 May 2006 09:08:14 GMT

Thanx AK, u r very close to my solution. let me tell u that we r using win98 at end user would it be ok to access all 3 network with 98 using 3 gateways. my network are 23.125.12.* , 192.168.2.*, 78.561.25.*.With out a router can we implement this using PIX only. would it work ?

Waiting ur reply

Re: Pix firewall with 3 wan connection ?

a.kiprawih — Tue, 23 May 2006 10:53:57 GMT

Hi,

I am sure it will work, except the fact that you cannot maximize the 3 links for your internet browsing or accessing external network activities.

Internet access will go mainly via Link#1 as it has highest metric or priority. The other 2 links will probably do nothing until Link#1 down.

***But again, there might be an issue as PIX will not know/aware (not intelligence) if Link#1 is down. This will make it to keep pushing/sending traffic out through that link. That's why a router is needed. But you can always use Link#2 & Link#3 for for specific traffic, e.g use Link#2 for email traffic, Link#3 for DNS and so on.

Alternatively, if you want, you can try this (attach config) theory, although this is still subjected to the above *** statement. The execption is each internal address/subnet will use specific link to go out/to internet.

For PIX OS, if possible, use the latest 6.x version.

Rgds,