Re: two gateways in a PIX

lmgil · ‎06-06-2005

Hi all,

I would like to have two wan routers in the outside network of my pix, and perform a basic polic based routing, I mean, depends on what IP is going to the internet, the router send the packets to one default router or to another.

Is that config possible ??

Regards,

Luis Miguel.

PHILIP DAMIAN-GRINT · ‎06-06-2005

It is about the only way you can use a single pix (or failover bundle) to handle two internet connections each with their own IP allocation.

The main issue to be resolved is not the outbound policy routing, mapping IP to correct ISP, which is straight forward, but the detection and handling of the various points of failure.

I set up two 2600 with 3 interfaces each:

Inside interfaces presenting a single IP via HSRP, tracking the ISP interfaces.

Router-router interfaces running an IGP routing protocol

ISP-facing interfaces which need to be directly connected to the ISP router if you want to detect interface down.

Its not very elegant, so I waited for PIX 7 because I was told that it would be able to support policy routing, but it was not so :(

johansens · ‎06-14-2005

Regarding the detection of failure...

Check this page:

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

If you run a routing-protocol against the ISP's it's even easier.. you don't have to do ping-tests.. :)

I haven't seen any policy-routing in the PIX either..

v7.0 has ECMP support for up to 3 equal-cost gateways, but they are just load-balanced and has to be on the same interface.

a.alekseev · ‎06-06-2005

yes, it's possible.

lmgil · ‎06-07-2005

Can you clarify how ?

a.alekseev · ‎06-19-2005

isp1-------R1----.2------|

| |

| HSRP .1 |---------.4-PIX------

| |

isp2-------R2----.3------|

you can run OSPF between R1,R2,PIX or use default route to HSRP-ip-addreess

odd inside hosts will be translated to ISP1 address space

nat(inside) 1 0.0.0.1 0.0.0.1

global(outside) 1 ISP1-ip-address

even inside hosts will be translated to ISP2 address space

nat(inside) 2 0.0.0.0 0.0.0.1

global(outside) 2 ISP2-ip-address

on R1, R2 you must have policy-routing.

david-wood · ‎06-20-2005

Hi Luis,

I'm no PIX expert, but I believe you can achieve what you are refering to by using Policy NAT.

See the last config example called "Use Policy NAT" in the following URL.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a008046f31a.shtml

You may also have a LOT more flexibility determining which local IP ranges to use in your policy decisions with PIX OS v7.0.

Cheers,

Dave.