Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
284
Views
0
Helpful
1
Replies

pix - secondary Ip's? Nameserver?

whaller
Level 1
Level 1

‎01-16-2005 07:23 PM - edited ‎02-20-2020 11:52 PM

Can any pix models support multiple IP's on the outside interface? I'm looking to have two different ISP feeds and want to enable a primary and secondary vpn tunnel.

NOTE: I noticed an earlier conversation pointed out that with version 6.3 and above VLAN and logical interfaces are now supported. Hence the first part of my question is answered.

Does the PIX support DNS lookup? Example:

ping http://www.cisco.com vs ping 198.133.219.25

0 Helpful
1 Reply 1

ehirsel
Level 6
Level 6

‎01-16-2005 09:26 PM

I do not believe that the pix supports dns lookup. You can use the names and name commands to make acls more meaningful but that is not the same as acting like a dns client. So you won't be able to do a ping www.cisco.com from the pix cli.

With regards to you note about logical interfaces, keep in mind that that is not the same as specing multiple ip addresses on the same logical interface, ala ios secondary ip addressing. So you can have multiple isp feeds and multiple vpn tunnels, but due to the ASA you cannot have traffic change interfaces mid-stream.

In order to accomplish vpn resiliancy thru a pix, you may have to terminate the isp connections and the vpn tunnels on a router in front of the pix. Then you configure a router-to-pix lan connection to allow the pix to do stateful firewalling functions. It will make your pix config easier as it can do the nating, and your router can handle the isp routing and the vpn functions.

One note about seperate isp feeds:

If you have servers that you expect to be seen and accessed by external/internet users outide of the vpn connections (such as mail, ftp, web) unless the router will do the nat'ing you may have to allow isp a to accept connections using destination addresses handed out by isp b. That is say isp allocates a public block for server addressability, you would need to have isp b accept that block and route it to your gw, or you will have to have two sets of public addresses for each server, one from isp a and one from isp b.

Let me know if you need more help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card