cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
687
Views
0
Helpful
6
Replies

PIX using multiple ISPs with full server redundancy

ccarter
Level 1
Level 1

What we’d like to know is the basic outline for performing redundancy of internet services with multiple ISPs through the PIX… (PIX-515E-FO-FE)

What we need to be able to configure is as follows:

SMTP inbound server A DMZ = 192.168.1.1

SMTP inbound server B DMZ = 192.168.1.2

SMTP outbound server A DMZ = 192.168.1.11

SMTP outbound server B DMZ = 192.168.1.12

Public ISP A SMTP address = 10.10.10.1

Public ISP B SMTP address = 10.10.20.1

Public ISP C SMTP address = 10.10.30.1

For incoming connections MX records will be configured for each ISP’s Public IP address of equal priority.

We need inbound traffic flow as follows:

Public ISP A SMTP --> load balanced SMTP inbound servers A + B

Public ISP B SMTP --> load balanced SMTP inbound servers A + B

Public ISP C SMTP --> load balanced SMTP inbound servers A + B

(If an inbound SMTP server is unavailable only use the available server)

We need outbound traffic flow as follows:

SMTP outbound server A --> load balanced Public ISP A + B + C

SMTP outbound server B --> load balanced Public ISP A + B + C

(If an outbound ISP is unavailable only use the available outbound ISP’s)

We are currently doing this with a single Stonegate cluster firewall with excellent results; however we need to know if this is also possible with a PIX firewall before we implement the PIX’s in a regional head office and plan for migration of our current head office.

Any insight would be appreciated.

6 Replies 6

a.alekseev
Level 7
Level 7

it's impossible on a pix...

There must be some way around it, if other Firewalls are capable of doing this then surely Cisco must be heading down a similar path. The stonegate firewall even sends a SYN packet out each internet connection for each new session and then uses the internet circuit with the fastest ACK response time for that particular session.

It’s quite embarrassing as a systems analyst to have to inform a customer that the PIX can not perform the operations of similarly priced devices. Highest availability is of the utmost importance and we must be able to operate even when two or more devices on different levels fail. (i.e 1 x ISP, 1 x PIX, 1 x SMTP server).

We have also asked the question to Cisco tech support but we feel we are going to recieve the same response.

tbissett
Level 1
Level 1

Just a thought in my head...

You can do what you want inbound to the PIX by setting up the appropriate NAT translations on teh PIX, then adding some static routes into your Internet router to point the three different IP ranges towards your PIX.

Going outbound, the PIX can have only one default route which typically points to your Internet router (or the HSRP address if you have more than one Inet router), so you would have to perform the balancing at the router and not on the PIX itself. If you have multiple routers, the situation gets a little bit more tricky.

We implemented multiple ISP redundancy by doing BGP on our Internet routers, with both ISPs routing the same IP address space. Traffic balances fairly well on it's own. Don't know if that is possible in your environment or not.

tbisset,

how does you pix behave when the outbound traffic goes out via one isp router but the return comes back via the other isp router....any ip spoofing errors with different MAC's?

donlon
Level 1
Level 1

For outbound traffic, some redundancy can be acheived by using OSPF and having the Routers send a default route to the PIX (which is also running OSPF). When I set it up in my lab it didn't load balance, however when one of the Routers External link went down, that Router did stop sending the route to the PIX. If that was the default route the PIX had been using, it then shifted over to the other Routers default route.

ehirsel
Level 6
Level 6

One important point about the pix and multiple service providers that you need to understand is that you want the pix to use the same interface (physical or logical) to connect to all providers.

That is, you do not want the toplogy to be such that the pix uses one interface to connect to isp a, and another to connect to isp b.

Another consideration is public addresses: If you cannot get isp b to accept route advertisements from your pix for addresses handed out by isp a, and vice versa, then you may need to do either of the following:

A. Have your isp provider perform a nat on their upstream router (the one that is closest to your pix) that handles converting their public address to a common address (such as one set of public addresses) that your pix will recognize and which will convert from that common one to the true address of your internal servers. This is not the same as a route exchange, since the router doing the nat will not advertise that common address into the providers igrp.

B. Have a router behind your pix that does the same thing. This applies if only if you have such a similar device already present in your topology.

All things considered, it is easier to use one set of addresses, and allow that address to reachable by both providers.

Let me know if you need any more assistance.

Review Cisco Networking for a $25 gift card