PIX OSPF problem

alexr · ‎05-11-2005

Hello all,

I got 2 links from different ISPs with different public IPs ranges. Both links connected to router 2821XM via Serial interfaces. Both router ethernet interfaces assigned IP public IP addresses (ISP1 and IPS2 respectively). Default route on router pointing on ISP1 and route-map applied to Ethernet2 interface pointing to ISP2.

I have PIX 515E 6.3(1) running as IPSEC tunnel termination and default gateway for internal hosts. with ISP1 everything working fine (when i am using global IP range from ISP1). default route on pix pointing to router interface1 (PIX outside interface (ISP1 public IP) and router interface1 ISP1 sitting in the same vlan).

PIX outside1 (ISP2) sitting in the same VLAN with router interface 2 ISP2.

As far as i know PIX couldnot handle more that 1 default route: route outside 0.0.0.0 0.0.0.0 ISP1_router 1

I succeded to create

route outside1 0.0.0.0 0.0.0.0 ISP2_router 2

I checked with Cisco VPN client for new interface IPSEC handling correctly.

I have an issue to make load-balancing for internal hosts. After reading this forum i found that PIX will support 3 default routes only in version 7.0 (correct me if i mistaken). So there is only solution to implement OSPF routing.

1. I need to enable OSPF on border router only for ISP2 public IP range?

2. On PIX i need to enable ospf only to interface outside1?

I am not so familiar with configuring like this issues. I never configured them on pix.

If someone can help me with this configuration. Maybe someone implement this on his network.

Please help me with this issue.

Thanks

ehirsel · ‎05-11-2005

Even if the pix can handle more than one default route, I'm not sure that the traffic can be split over two different interfaces - the PIX ASA may wind up blocking traffic that was originally sent over one link from flowing over the other link.

Since both of your ISP connections terminate on the same router, you may be better if you use one subnet and one link between the 2821 and the pix (using private not public ip addresses), and getting with your providers to see if one can handle routing the other's public subnet given to you.

I do not know if the pix v7 code can handle ethernet channeling, but I believe you are better off running ospf on the 2821 and having the providers coming to an agreement about passing your routes properly.

This way your pix config is simpler to maintain, and you do not have to worry about running complex routing protocols on the pix.

Let me know if this is of any help.

a.alekseev · ‎05-12-2005

for load balancing you can use policy routing on the 2821XM

select two ip addesses, one from ISP1, the second from ISP2

on PIX translate odd addresses to the ip adddress from ISP1, even addresses to the ip adddress from ISP2

on 2821XM add two static route for those two addresses.

alexr · ‎05-12-2005

Hello, thanks for your reply

I have policy routing on 2821XM, attached to ISP2 interface. If i changing default route on PIX ,pointing, to ISP1 to ISP2 everything is workign fine with global to ISP2, but global to ISP1 stops working. even VPN working with default route to ISP1, i moved already several companies to new link.

I didnot understood correctly about odd Ip addresses and even ip addresses.

If you can give me some examples.

Thanks a lot.