12-15-2006 04:15 AM - edited 03-11-2019 02:09 AM
i have PIX with outside interface connected to ISP , behind the firewall (Web interface ) where i am hosting the company website and webmail , the two public IP are created in the PIX and natted through interface ( Web) to 192.168.1.x network . I would like to connect to a second ISP through second interface named ( IRP ) with completely different public IP network that I has at outside interface and keep my company reachable through both the interfaces until I completely move to the new ISP . I have configure the new (IRP ) interface and do the natting for the Web services , the problem now is that the request coming from the new ISP reach the server behind the PIX but the reply it seems to be back through the outside interface and do not back to requester . this may be because outside interface is the default route for internet . given that the request coming from ISP2 network got back successfully as I have a route to that network in the IRP interface . so how I can force the request coming from internet through IRP interface back to same interface instead of going through outside , I thought about policy natting but a don?t know how to correctly applied it .
12-21-2006 09:49 AM
"The Cisco Secure PIX Firewall is designed to handle only one default route. When you connect two ISPs to a single PIX, it means that the Firewall needs to make routing decisions at a much more intelligent level."
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml
PIX not supports 2 default gateways.Because the source IP address of you request from ISP2 changes all the time, so you can not do it this way.
If the post help, please rate,thanks.
Peng
12-21-2006 11:40 AM
PIX ver 6.x(x) does not support dual ISP. If you have verPIX 7.0 you would be able to apply your scenario because you will be able to use the Dual ISP using IP SLA.
Below you can find a sample scenario for PIX/ASA dual ISP
Please let me know if you need further explanantion,
Appreciate your rating,
Regards,
12-22-2006 03:32 AM
Thank you guys for your replys ,
do you mean i cannot even think of workaround solution like Policy Nat ....
if not is it easy to upgrade to PIX 7.0 with out changing the configuration or reconsider it ...
Thanks
12-22-2006 08:58 AM
Hello Adel,
Even with policy NAT the PIX won't detect which ISP is down. You need the tracking option as I specified and this requires Ver 7.0.
Upgrading to ver 7.0 is not complicated it all. First you need to check your hardware requirements and then plan the upgrade. Below you can find a link to the upgrade process and what has been changed from ver 6.x to ver 7.x.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml
Please let me know if you need anything further,
Regards,
12-29-2006 08:48 PM
Hi,
The firewall supports only one default route through outside for Internet, so route-map or policy routing has to be enabled on an external Interface i.e router or L3 Switch.
You can look at configuring the following option.
1. Enabling route-map on the core switch which will provide routes to the respective ISP.
2.If you have both the ISP link getting terminated on the same router enabling the route map on the router itself.
3. Natting the Ip address between ISP in the router.(possible but trouble shooting becomes complicated).
4. If you have two individual routers for both the ISP , you could run HSRP accross the router and have the firewall's default route to that of the Hsrp virtual address. Then add policy route in both the routers (based on source ip address) to route-traffic between the ISP.
Hope this helps.
Regd
Ravi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide