01-14-2002 08:42 PM - edited 02-20-2020 09:57 PM
I have a client with multiple ISPs who would like to host web internally (off one isp) and mail internally (off the other isp).
DMZ
(Mail)172.16.11.1 /24-------+
(WWW)172.16.11.2 /24 |
|
Inside 172.16.10.X /24----PIX 515----+(provider1)
|
|
+--------+ (provider2)
provider1 = 216.X.X.X /48
provider2 = 64.X.X.X /48
The ISP's are both DSL (Ethernet).
The PIX has four interfaces.
With no default route.
static (dmz,provider1) 216.X.X.X 172.16.11.1 netmask 255.255.255.255 0 0
static (dmz,provider2) 64.X.X.X 172.16.11.2 netmask 255.255.255.255 0 0
conduit permit tcp host 64.X.X.X eq www any 0 0
conduit permit tcp host 216.X.X.X eq smtp any 0 0
inside clients will share the provider1 line for outbound.
Does this work?
With no default route (Ive seen multiple diagrams in the Cisco Security Specialist Course with this) and differing providers, I am sure traffic destined for the mail or web will get there but will it go out the originating interface?
We do have two extra routers (2600, 1600) if necessary but we would like all the traffic to go through the pix.
No need for load balancing, just traffic from one isp devoted to Mail and traffic from the other isp devoted to Web.
Thank you,
AJ Dandrea
01-15-2002 06:03 AM
Aren't you leaving yourself open for an outage my not allowing the web and email traffic to go either way? Why not stick a router in between the ISPs and the PIX and use both links for all the traffic? This way, if one fails, the web and mail traffic can go out the other way. Seems a shame to have 99% of the solution there, and not actually use it...
01-15-2002 06:33 AM
I guess here is the million dollar question..
You have a PIX 4/Interface
You have a 2600 4/Interface (ethernet)
You have a 1600 2/Interface (ethernet)
Provider1 64.X.X.X /48 (dsl)
Provider2 216.X.X.X /48 (dsl)
Mail Server 64.X.X.X /24
Web Server 216.X.X.X /24
What would you suggest?
I was thinking about:
Inside---------+
XXXXXXXXXXX|
DMZ--------+--PIX--+--2600--+Provider1
XXXXXXXXXXXXXXXXXXX|
XXXXXXXXXXXXXXXXXXX+----+Provider2
Since the PIX is only capable of 1 default route
static (dmz,outside) 172.16.10.5 192.168.1.5
static (dmz,outside) 172.16.10.6 192.168.1.6
the network between the pix/router 172.16.10.X
and have the router perform NAT for:
172.16.10.5 (Mail) to 64.X.X.X
172.16.10.6 (Web) to 216.X.X.X
How would one load balance between the providers on the 2600, policy based routing?
Thanks,
AJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide