https://community.cisco.com/t5/network-security/two-gateways-in-a-pix/m-p/431747#M557373 <P>Hi all,</P><P>I would like to have two wan routers in the outside network of my pix, and perform a basic polic based routing, I mean, depends on what IP is going to the internet, the router send the packets to one default router or to another.</P><P>Is that config possible ??</P><P>Regards,</P><P>Luis Miguel.</P><P></P> Fri, 21 Feb 2020 08:11:29 GMT lmgil 2020-02-21T08:11:29Z https://community.cisco.com/t5/network-security/two-gateways-in-a-pix/m-p/431747#M557373 <P>Hi all,</P><P>I would like to have two wan routers in the outside network of my pix, and perform a basic polic based routing, I mean, depends on what IP is going to the internet, the router send the packets to one default router or to another.</P><P>Is that config possible ??</P><P>Regards,</P><P>Luis Miguel.</P><P></P> Fri, 21 Feb 2020 08:11:29 GMT https://community.cisco.com/t5/network-security/two-gateways-in-a-pix/m-p/431747#M557373 lmgil 2020-02-21T08:11:29Z https://community.cisco.com/t5/network-security/two-gateways-in-a-pix/m-p/431748#M557375 <HTML><HEAD></HEAD><BODY><P>It is about the only way you can use a single pix (or failover bundle) to handle two internet connections each with their own IP allocation.</P><P></P><P>The main issue to be resolved is not the outbound policy routing, mapping IP to correct ISP, which is straight forward, but the detection and handling of the various points of failure.</P><P></P><P>I set up two 2600 with 3 interfaces each:</P><P></P><P>Inside interfaces presenting a single IP via HSRP, tracking the ISP interfaces.</P><P></P><P>Router-router interfaces running an IGP routing protocol</P><P></P><P>ISP-facing interfaces which need to be directly connected to the ISP router if you want to detect interface down.</P><P></P><P>Its not very elegant, so I waited for PIX 7 because I was told that it would be able to support policy routing, but it was not so <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P></BODY></HTML> Mon, 06 Jun 2005 14:12:26 GMT https://community.cisco.com/t5/network-security/two-gateways-in-a-pix/m-p/431748#M557375 Philip DG 2005-06-06T14:12:26Z https://community.cisco.com/t5/network-security/two-gateways-in-a-pix/m-p/431749#M557376 <HTML><HEAD></HEAD><BODY><P>yes, it's possible.</P></BODY></HTML> Mon, 06 Jun 2005 20:44:11 GMT https://community.cisco.com/t5/network-security/two-gateways-in-a-pix/m-p/431749#M557376 a.alekseev 2005-06-06T20:44:11Z https://community.cisco.com/t5/network-security/two-gateways-in-a-pix/m-p/431750#M557377 <HTML><HEAD></HEAD><BODY><P>Can you clarify how ?</P><P></P></BODY></HTML> Tue, 07 Jun 2005 08:17:19 GMT https://community.cisco.com/t5/network-security/two-gateways-in-a-pix/m-p/431750#M557377 lmgil 2005-06-07T08:17:19Z https://community.cisco.com/t5/network-security/two-gateways-in-a-pix/m-p/431751#M557378 <HTML><HEAD></HEAD><BODY><P>Regarding the detection of failure...</P><P></P><P>Check this page:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml" target="_blank">http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml</A></P><P></P><P>If you run a routing-protocol against the ISP's it's even easier.. you don't have to do ping-tests.. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>I haven't seen any policy-routing in the PIX either..</P><P></P><P>v7.0 has ECMP support for up to 3 equal-cost gateways, but they are just load-balanced and has to be on the same interface.</P></BODY></HTML> Tue, 14 Jun 2005 13:53:52 GMT https://community.cisco.com/t5/network-security/two-gateways-in-a-pix/m-p/431751#M557378 johansens 2005-06-14T13:53:52Z https://community.cisco.com/t5/network-security/two-gateways-in-a-pix/m-p/431752#M557379 <HTML><HEAD></HEAD><BODY><P><PRE></PRE></P><P>isp1-------R1----.2------|</P><P> | |</P><P> | HSRP .1 |---------.4-PIX------</P><P> | |</P><P>isp2-------R2----.3------|</P><P></P><P>you can run OSPF between R1,R2,PIX or use default route to HSRP-ip-addreess</P><P></P><P>odd inside hosts will be translated to ISP1 address space</P><P>nat(inside) 1 0.0.0.1 0.0.0.1</P><P>global(outside) 1 ISP1-ip-address</P><P></P><P>even inside hosts will be translated to ISP2 address space </P><P>nat(inside) 2 0.0.0.0 0.0.0.1</P><P>global(outside) 2 ISP2-ip-address</P><P></P><P>on R1, R2 you must have policy-routing.</P></BODY></HTML> Sun, 19 Jun 2005 17:00:36 GMT https://community.cisco.com/t5/network-security/two-gateways-in-a-pix/m-p/431752#M557379 a.alekseev 2005-06-19T17:00:36Z https://community.cisco.com/t5/network-security/two-gateways-in-a-pix/m-p/431753#M557380 <HTML><HEAD></HEAD><BODY><P>Hi Luis,</P><P></P><P>I'm no PIX expert, but I believe you can achieve what you are refering to by using Policy NAT.</P><P></P><P>See the last config example called "Use Policy NAT" in the following URL.</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a008046f31a.shtml" target="_blank">http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a008046f31a.shtml</A></P><P>You may also have a LOT more flexibility determining which local IP ranges to use in your policy decisions with PIX OS v7.0.</P><P></P><P>Cheers,</P><P>Dave.</P></BODY></HTML> Mon, 20 Jun 2005 09:59:00 GMT https://community.cisco.com/t5/network-security/two-gateways-in-a-pix/m-p/431753#M557380 david-wood 2005-06-20T09:59:00Z