Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
593
Views
4
Helpful
3
Replies

Dual ISP Connection in PIX. Will it work?

vipinrajrc
Level 3
Level 3

‎07-07-2011 04:03 AM - edited ‎03-11-2019 01:55 PM

Hi Experts,

I need to implement another ISP circuit in my client's PIX515E v6.3.3. But  in this  PIX i was not able to configure backup command. When i checked i found that it support only after 7.2. So i decide to configure another default route with AD as 1 and Change the existing to a higher value. I want to implement the new one as the primary and the old one as the secondary. will it works?

Regards

Vipin

Thanks and Regards, Vipin
Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-07-2011 04:33 AM

No, you can't just have 2 default routes with different administrative distance because if the primary ISP is not available, the PIX firewall will not know.

For PIX to automatically failover to the secondary ISP, you would need to configure track/sla on PIX v7.x and above so it can determine when it's down, as per the following sample config:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

With version 6.x, when primary ISP is down, you would need to manually disconnect or shutdown the PIX interface that connects to the primary ISP for the secondary ISP to work. And you would also need to manually fail it back to the primary ISP when it's back up.

Hope that answers your question.

vipinrajrc
Level 3
Level 3
In response to Jennifer Halim

‎07-07-2011 05:53 AM

Hi,

As i mentioned i configured another interface with the new ip address which is provided by the ISP. From the PIX itself i got ping to that ip. But from outside i didnt get ping to the IP address.

I just configured that IP address,Sec-level to zero. I didnt configure PAT. but i didnt get ping to this interface from outside.

what might be the issue?

thanks and regards

Vipin

Thanks and Regards, Vipin
0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to vipinrajrc

‎07-07-2011 06:07 AM

Please kindly share the configuration.

Please check if you have any "icmp" command on any interface. If you do, then you would need to also explicitly configure this new interface to be allowed with ping.

The command will be "icmp permit any "

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card