Re: Pix and redundant internet connections

insania2016 · ‎06-02-2004

Greetings,

I am thinking about setting up a redundant internet presence with our ISP. They will provide two routers and they will be using BGP between them. I have two PIX 515 firewalls that will sit in between those routers and our internal network. Currently, they are setup as failover so only one is active at a time. How difficult is it to setup two outside interfaces with the PIX 515 so that I can route to either one should one go down? Or should I take a different approach?

ehirsel · ‎06-02-2004

With the PIX using ASA, it may not be possible to use two outside interfaces on the pix and expect traffic that used to flow over one to now flow over the other in case of a router issue.

It is better to stick with one interface on each firewall (you have two for redundancy so if one intf fails on one pix unit, the other unit will take over), and place the router and pix interfaces on the same subnet. You can run ospf or rip between the pix units and the routers. Or you can run hsrp between the two routers and use static routes between them and the pix - with the pix using the hsrp address as the default gateway.

If you do use ospf or rip, run filters on the routers and the pix units so that the routers only advertise a default route out and accept only what networks belong to you, with the pix doing the inverse.

One other item: If you have say in the matter, do the NAT and/or PAT on the pix not the routers.

It may be easier to use the static routes and the hsrp setup, but the ISP may have a different approach.

insania2016 · ‎06-02-2004

That sounds like a good idea (HSRP and statics) I deal with NAT on the PIX and the ISP pretty much will do whatever I ask of them. They've been great to work with so far.