topic PIX Configuration for Multiple ISPs<------does it work? in Network Security

PIX Configuration for Multiple ISPs<------does it work?

ajd — Fri, 21 Feb 2020 05:57:17 GMT

I have a client with multiple ISPs who would like to host web internally (off one isp) and mail internally (off the other isp).

DMZ

(Mail)172.16.11.1 /24-------+

(WWW)172.16.11.2 /24 |

Inside 172.16.10.X /24----PIX 515----+(provider1)

+--------+ (provider2)

provider1 = 216.X.X.X /48

provider2 = 64.X.X.X /48

The ISP's are both DSL (Ethernet).

The PIX has four interfaces.

With no default route.

static (dmz,provider1) 216.X.X.X 172.16.11.1 netmask 255.255.255.255 0 0

static (dmz,provider2) 64.X.X.X 172.16.11.2 netmask 255.255.255.255 0 0

conduit permit tcp host 64.X.X.X eq www any 0 0

conduit permit tcp host 216.X.X.X eq smtp any 0 0

inside clients will share the provider1 line for outbound.

Does this work?

With no default route (Ive seen multiple diagrams in the Cisco Security Specialist Course with this) and differing providers, I am sure traffic destined for the mail or web will get there but will it go out the originating interface?

We do have two extra routers (2600, 1600) if necessary but we would like all the traffic to go through the pix.

No need for load balancing, just traffic from one isp devoted to Mail and traffic from the other isp devoted to Web.

Thank you,

AJ Dandrea

Re: PIX Configuration for Multiple ISPs<------does it work?

jwitherell — Tue, 15 Jan 2002 14:03:16 GMT

Aren't you leaving yourself open for an outage my not allowing the web and email traffic to go either way? Why not stick a router in between the ISPs and the PIX and use both links for all the traffic? This way, if one fails, the web and mail traffic can go out the other way. Seems a shame to have 99% of the solution there, and not actually use it...

Re: PIX Configuration for Multiple ISPs<------does it work?

ajd — Tue, 15 Jan 2002 14:33:13 GMT

I guess here is the million dollar question..

You have a PIX 4/Interface

You have a 2600 4/Interface (ethernet)

You have a 1600 2/Interface (ethernet)

Provider1 64.X.X.X /48 (dsl)

Provider2 216.X.X.X /48 (dsl)

Mail Server 64.X.X.X /24

Web Server 216.X.X.X /24

What would you suggest?

I was thinking about:

Inside---------+

XXXXXXXXXXX|

DMZ--------+--PIX--+--2600--+Provider1

XXXXXXXXXXXXXXXXXXX|

XXXXXXXXXXXXXXXXXXX+----+Provider2

Since the PIX is only capable of 1 default route

static (dmz,outside) 172.16.10.5 192.168.1.5

static (dmz,outside) 172.16.10.6 192.168.1.6

the network between the pix/router 172.16.10.X

and have the router perform NAT for:

172.16.10.5 (Mail) to 64.X.X.X

172.16.10.6 (Web) to 216.X.X.X

How would one load balance between the providers on the 2600, policy based routing?

Thanks,