Re: PIX 506 behind mulithomed router

eblizard · ‎12-01-2004

Got a question for how to configure Global (outside) NAT or PAT if the PIX is behind a multihomed (non BGP)router. The 1720 router has connections to two seperate ISPs for WAN redundantancy. My question is if ISP B will not route ISP A IP addresses is there a way to configure Global (outside) in a way so that it will PAT to an ISP B IP address if ISP A is down or would we have to manually connect to the PIX to change the global (outside) address when ISP A is down.

gfullage · ‎12-01-2004

There's no way the PIX can tell if a particular external link is down, so there's really not a simple way to do this.

You could implement some poor-man's load-balancing so that half your outbound sessions are PAT'd to an ISP-A address and half are PAT'd to an ISP-B address. That way if one link does go down you'd only lose half your connections, and you can then change the other PAT address manually. Not great, but would reduce your outage by 50% straight away which is nothing to sneeze at.

Something like:

nat (inside) 1 0.0.0.1 0.0.0.1

nat (inside) 2 0.0.0.0 0.0.0.1

global (outside) 1

global (outside) 2

will PAT all internal odd IP addresses to an ISP-A address, and all internal even IP addresses to ISP-B.

If a particular link goes down just change the corresponding global command to point to the other ISP's address.

eblizard · ‎12-02-2004

Thanks, I thought about possible doing that and it could be a solution.

What if I setup the edge router to re-NAT the traffic coming from the PIX. Would this not work? It would create extra overhead but might work. Just use a route-map on the router. Just not sure how the PIX would react.