2 isp 2 PIX on same internal network?

jhs4709 · ‎08-23-2007

I have an existing PIX 515 failover pair. I am installing a second circuit (more bandwidth needed) and will be using a second PIX 515 failover pair. Both outside interface IPs will be in different networks eventually. Both inside interfaces will be in same net work (x.x.x.16 255.255.255.240). I need to keep the inside firewalls on same network if possible, but testing did not allow traffic to pass on PIX-2. (testing was done with outside networks in same network on 1 ISP link. This worked through small linksys router, but not on PIX) Any advice would be appreciated. I am assuming there is a conflict on PIX due to them both advertising or being in the same networks (x.x.x.16 /27 inside and x.x.x.0 /27 outdside) and connected to them.

Thanks in advance!

Brad Shows

anandramapathy · ‎08-23-2007

>but testing did not allow traffic to pass > on PIX-2.

what does this mean ?

how are you routing packet from your LAN to the Firewall ? Do yo have a static route from your LAN to the PIX-1 ?

If this is the case, then you have to do the following for testing traffic through PIX-2

put a route map on your LAN gateway which points a test subnet from which you want to send traffic to PIX-2

jhs4709 · ‎08-23-2007

PIX-1 inside 2x.2x.1x.17 /28 outside 2x.2x.1x.2 /28

PIX-2 inside 2x.2x.1x.28 /28 outside 2x.2x.1x.3 /28

PIX-1 handles all nets now. PIX-2 will handle some of those once I get traffic flowing. I took one network off PIX-1 and configured it on PIX-2 with

static (inside,outside) 2x.2x.123.0 2x.2x.123.0 netmask 255.255.255.128

route inside 2x.2x.123.0 255.255.255.128 2x.2x.1x.25

Trying to get traffic from 2x.2x.123.0 network failed. If I set up a linksys router with same IPs I can get traffic to pass no problem. However I must use PIX.

If I place the inside interface of PIX-2 in different network, 10.0.0.1 /24 I can get traffic to flow.

Thanks!

anandramapathy · ‎08-24-2007

Are you are saying that traffic from outside for the public IP 2x.2x.123.0 has to flow through the PIX2 ?

If this is the case, do you have a Router before the PIX to which your ISP is connected ?

On this router define a static route for the subnet 2x.2x.123.0 pointing it to the outside interface of the PIX-2.

You will be able to get inbound traffic for the above subnet via the PIX-2.

jhs4709 · ‎08-26-2007

yes, traffic from outside for the public IP 2x.2x.123.0 has to flow through the PIX2. I am assuming our service provider is now routing all to PIX-1 and once the 2nd circuit is installed will route networks accordingly.

There is no router on outside of either PIX, only service provider ONU. I think that is why it will not work is because they route everything to PIX-1. I will wait for 2nd circuit to be installed to test again. Thanks!

anandramapathy · ‎08-26-2007

Glad to hear that.

Please rate the post if this helped.