Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1303
Views
0
Helpful
2
Replies

PIX Configuration for Multiple ISPs<------does it work?

ajd
Level 1
Level 1

‎01-14-2002 08:42 PM - edited ‎02-20-2020 09:57 PM

I have a client with multiple ISPs who would like to host web internally (off one isp) and mail internally (off the other isp).

DMZ

(Mail)172.16.11.1 /24-------+

(WWW)172.16.11.2 /24 |

|

Inside 172.16.10.X /24----PIX 515----+(provider1)

|

|

+--------+ (provider2)

provider1 = 216.X.X.X /48

provider2 = 64.X.X.X /48

The ISP's are both DSL (Ethernet).

The PIX has four interfaces.

With no default route.

static (dmz,provider1) 216.X.X.X 172.16.11.1 netmask 255.255.255.255 0 0

static (dmz,provider2) 64.X.X.X 172.16.11.2 netmask 255.255.255.255 0 0

conduit permit tcp host 64.X.X.X eq www any 0 0

conduit permit tcp host 216.X.X.X eq smtp any 0 0

inside clients will share the provider1 line for outbound.

Does this work?

With no default route (Ive seen multiple diagrams in the Cisco Security Specialist Course with this) and differing providers, I am sure traffic destined for the mail or web will get there but will it go out the originating interface?

We do have two extra routers (2600, 1600) if necessary but we would like all the traffic to go through the pix.

No need for load balancing, just traffic from one isp devoted to Mail and traffic from the other isp devoted to Web.

Thank you,

AJ Dandrea

0 Helpful
2 Replies 2

jwitherell
Level 1
Level 1

‎01-15-2002 06:03 AM

Aren't you leaving yourself open for an outage my not allowing the web and email traffic to go either way? Why not stick a router in between the ISPs and the PIX and use both links for all the traffic? This way, if one fails, the web and mail traffic can go out the other way. Seems a shame to have 99% of the solution there, and not actually use it...

0 Helpful

ajd
Level 1
Level 1
In response to jwitherell

‎01-15-2002 06:33 AM

I guess here is the million dollar question..

You have a PIX 4/Interface

You have a 2600 4/Interface (ethernet)

You have a 1600 2/Interface (ethernet)

Provider1 64.X.X.X /48 (dsl)

Provider2 216.X.X.X /48 (dsl)

Mail Server 64.X.X.X /24

Web Server 216.X.X.X /24

What would you suggest?

I was thinking about:

Inside---------+

XXXXXXXXXXX|

DMZ--------+--PIX--+--2600--+Provider1

XXXXXXXXXXXXXXXXXXX|

XXXXXXXXXXXXXXXXXXX+----+Provider2

Since the PIX is only capable of 1 default route

static (dmz,outside) 172.16.10.5 192.168.1.5

static (dmz,outside) 172.16.10.6 192.168.1.6

the network between the pix/router 172.16.10.X

and have the router perform NAT for:

172.16.10.5 (Mail) to 64.X.X.X

172.16.10.6 (Web) to 216.X.X.X

How would one load balance between the providers on the 2600, policy based routing?

Thanks,

AJ

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card