Re: Securing 2 Internet links with 1 PIX

tech · ‎05-14-2004

I have 2 Internet connections via 2 different routers and 2 different ISPs. One is significantly faster than the other. I would like to setup the faster link to be the primary Internet connection and then autmotically failover to the slower link when the primary is down.

I have a PIX 515. Can I protect both links with the same PIX or do I need another PIX? Do I need to run BGP also?

I suppose that BGP would be helpful in that even though one link is faster than the other, the slower link could have a better least cost route to certain sites. The only problem I see with that is if I need to download large (100 MB+) files. I would always want to use the fast link in that case.

Any suggestions and/or links will be appreciated.

Thanks,

RJ

rohit_s · ‎05-14-2004

Do you want to directly terminate the links on Firewall or on router. If you terminate on PIX then try this solution:-

Terminate the primary link on Outside and other on say DMZ port with different security level.

Put default route for outside and another default route for DMZ with higher metric. So in case primary link goes down, packet will be transmitted through backup link. But be sure to clear the xlate translations when shifting to backup link and vice versa. Configure the NAT(inside),global(outside) and global(dmz) commands for NAT.

Hope this should work.

Thanks

Rohit

sachin · ‎05-15-2004

You cann't have two default route on PIX and the metric Specify the number of hops to gateway_ip.