Re: pix firewall to connect 2 isp

jccsrc · ‎10-05-2004

is it possible to connect two isp in single pix firewall?. we want to use isp1 for web server and isp2 for proxy server. thanks

nambale · ‎10-05-2004

yes that's possible.for ISP1 make a static with ISP1's address to yor webserver and a static with ISP2's ip address pointing to your proxy server.

jccsrc · ‎10-05-2004

any idea how to connect the 2 internet connection to the pix interface.,I already tried to use two interface one for each isp but it didn't work because the pix can only handle one default gateway..any help..thanks

ggozzi · ‎10-09-2004

For me is not possible;

I think is better put an exernal router and do policy routing.

Another way is put a FW load balancer

ibrunello · ‎10-09-2004

Completely agree.

Having a single default gateway prevent PIX to do policy routing. Better leave such work to a specialized device (a router), and let PIX do its work (firewalling).

lr.moore · ‎10-09-2004

If you have a router out in front of the PIX, you can setup WWW server with static NAT, Proxy with static nat. Use policy routing on the router so that packets sourced nat1 (WWW) go to ISP1, nat2 (proxy) go to ISP2

You can only do it on a router, not on the pix

jccsrc · ‎10-17-2004

Yes, I did installed outside router with 3 ethernet interface. fa0/0 connected to pix outside interface and fa0/1 connected to dsl1 while fa1/0 to dsl2. I configured NAT on the router to translate www inside ip to public ip same thing in proxy server...and configured ip policy route-map dsl1 on fa0/1 and ip policy route-map dsl2 on fa1/0,

then:

access-list 101 permit ip host (proxy public ip) any

access-list 102 permit ip host (www public ip) any

route-map dsl2 permit 10

match ip address 102

set ip default next-hop (dsl2 IP)

route-map dsl1 permit 10

match ip address 101

set ip default next-hop (dsl1 IP)

but it didn't work router is not forwarding the packets to the gateway. I tried to add default route 0.0.0.0 0.0.0.0 (dsl1 ip), only proxy server is working..