Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
0
Helpful
4
Replies

Two ISP links terminating on single pix firewall

Shobith K
Level 1
Level 1

‎09-19-2004 11:50 PM - edited ‎02-20-2020 11:38 PM

Customer has a PIX firewall with 5 interfaces.

They have 2 internet links which is terminating on two separate routers.

From the router the links has to be terminated on the different interfaces of the pix.

He want to use one interface for normal internet purpose and other one for the Remote Access VPN. He wants the second link to be utilised when remote users connect using vpn client to the pix.

plz check this link for the network diagram

http://www.shobithk.id.au

Can this be done...if it can be please guide me to do this..

0 Helpful
4 Replies 4

cfenegan
Level 1
Level 1

‎09-20-2004 02:33 AM

Hello,

You may run into routing issues. If you dedicate one interface for Internet access then that interface should have the default route. If your VPN clients are coming in on the second interface from anywhere, then for the ISAKMP negotiation to succeed that interface must have a route back to those clients. Unless you can specify the VPN client's source addresses in the routing table for the second interface, the PIX will route replies via the other interface and the negotiation will fail.

Lan to Lan tunneling will be Ok as the remote end point will have a static address and a host route can be added to your second interface's routing table.

Hope this helps.

Clive

0 Helpful

Shobith K
Level 1
Level 1
In response to cfenegan

‎09-20-2004 02:56 AM

hai,

Thanks for looking into the issue.

For remote users to connect to vpn i have given a pool of address in the firewall. Remote VPN users will get the ip address from this pool.

Will it work if i give a route to that particular network through the second interface, since the vpn clients will get ip address from that network.

shobith

0 Helpful

tbissett
Level 1
Level 1
In response to Shobith K

‎09-20-2004 05:32 AM

Unfortuantely, it still won't work. The reason is because the IPSEC traffic needs to be routed backl to your remote client's ISP IP, and since that IP could be anything, there's no way to put host entries in for those.

That said, we utilize two circuits at our location. Both terminate at our edge router and we use BGP to separate VPN traffic from WWW traffic. Inbound VPN comes through one circuit, and inbound WWW through the other. All outbound traffic from us goes through the same circuit due to the default route in the PIX. For us it works well because outbound VPN is much heavier than outbound WWW (WWW is typically just the website requests).

0 Helpful

j.contreras
Level 1
Level 1

‎09-21-2004 01:40 AM

Hi,

One way of doing it is with Policy Base Routing (PBR) configured externally on a router "in front" of the PIX.

The router can be a 831 for example, if the bandwidth is not too big.

With PBR you can make statements like: "all ESP + UDP 500 and 4500" (IPSec) is going to this router, and all the rest of the traffic is going to the default route. Unfortunately PIX does not support PBR functionality (although it has route maps for OSPF route distribution, it can not be used for PBR)

Let me know if you want an example config.

Regards.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card