You should connect each provider to specify zone then use them, unfortunately there isn't any load balance at the PIX so you should balance your inside internet usage traffic through NAT, it means NAT half of your network through provider1 and rest of network by provider2

for example :

nameif ethernet0 outside security0

nameif ethernet2 outside2 security5

nameif ethernet1 inside security100

ip address outside 100.100.100.10 255.255.255.0

ip address outside2 200.200.200.20 255.255.255.0

ip address inside 172.16.1.1 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.128

nat (inside) 2 172.16.1.128 255.255.255.128

global (outside) 1 interface

global (outside2) 1 interface

Regards,

Mehrdad

Thanks,

is there any problem broadcust, multicust or igmp problem from one outside network to other outside network? i dont want any packet come and go from one outside to other outside.

first of all, i had miss type at last reply please correct it : global (outside2) 2 interface

in fact there isn't any facilities to implement source routing at pix software except version 7.x that i'm not sure, in order to specify the route that a packet should take through the network (for two default gateways from two ISPs) so if you have perimeter router at your network that is connected to ISPs we can implement your situation as below :

LAN---PIX---Router--{two connections ISP1 ISP2}

PIX :

nameif ethernet0 outside security0

nameif ethernet1 inside security100

ip address outside 192.168.100.1 255.255.255.252

ip address inside 172.16.1.1 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.128

nat (inside) 2 172.16.1.128 255.255.255.128

global (outside) 1 100.100.100.10 netmask 255.255.255.255

global (outside2) 2 200.200.200.20 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 192.168.100.2

Router :

interface FastEthernet0/0

description connected to PIX

ip address 192.168.100.2 255.255.255.252

ip policy route-map providers

access-list 130 permit ip host 100.100.100.10 any

access-list 131 permit ip host 200.200.200.20 any

route-map providers permit 130

match ip address 130

set ip next-hop ISP1

route-map providers permit 131

match ip address 131

set ip next-hop ISP2

ip router 100.100.100.10 255.255.255.255 192.168.100.1

ip router 200.200.200.20 255.255.255.255 192.168.100.1

In this scenario half of your network go through one ISP (send/receive from same ISP) and rest of the network from another ISP.

hope this help

Regards,

Mehrdad Arshad Rad

Thanks to all for ur soluation,

actually i am not clear of my quistion, sorry for that.

what i really want,

two different internet configured in one pix firewall. (four eth port)

all local user have no access to internet. i don't need any DMZ.

only three static entry is mail, www and proxy.

users only access to this three server.

"Both internet must not communicate or send any packet to each other"

So, Possiable?

Thanks to all for ur soluation,

actually i am not clear of my quistion, sorry for that.

what i really want,

two different internet configured in one pix firewall. (four eth port)

all local user have no access to internet. i don't need any DMZ.

only three static entry is mail, www and proxy.

users only access to this three server.

"Both internet must not communicate or send any packet to each other"

So, Possiable with VLAN?

And Do anybody know how to start a new conversation....?

Sorry, Just curious.. Is there a posibility if we connected to two ISPs, an auto failover can be done if you have configured a static load balance?

Thanks to all for ur soluation,

actually i am not clear of my quistion, sorry for that.

what i really want,

two different internet configured in one pix firewall. (four eth port)

all local user have no access to internet. i don't need any DMZ.

only three static entry is mail, www and proxy.

users only access to this three server.

"Both internet must not communicate or send any packet to each other"

So, Possiable?

And Do anybody know how to start a new conversation....?