Re: Two outside interface

adelasiri · ‎12-15-2006

i have PIX with outside interface connected to ISP , behind the firewall (Web interface ) where i am hosting the company website and webmail , the two public IP are created in the PIX and natted through interface ( Web) to 192.168.1.x network . I would like to connect to a second ISP through second interface named ( IRP ) with completely different public IP network that I has at outside interface and keep my company reachable through both the interfaces until I completely move to the new ISP . I have configure the new (IRP ) interface and do the natting for the Web services , the problem now is that the request coming from the new ISP reach the server behind the PIX but the reply it seems to be back through the outside interface and do not back to requester . this may be because outside interface is the default route for internet . given that the request coming from ISP2 network got back successfully as I have a route to that network in the IRP interface . so how I can force the request coming from internet through IRP interface back to same interface instead of going through outside , I thought about policy natting but a don?t know how to correctly applied it .

pengfang · ‎12-21-2006

"The Cisco Secure PIX Firewall is designed to handle only one default route. When you connect two ISPs to a single PIX, it means that the Firewall needs to make routing decisions at a much more intelligent level."

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml

PIX not supports 2 default gateways.Because the source IP address of you request from ISP2 changes all the time, so you can not do it this way.

If the post help, please rate,thanks.

Peng

m-haddad · ‎12-21-2006

PIX ver 6.x(x) does not support dual ISP. If you have verPIX 7.0 you would be able to apply your scenario because you will be able to use the Dual ISP using IP SLA.

Below you can find a sample scenario for PIX/ASA dual ISP

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Please let me know if you need further explanantion,

Appreciate your rating,

Regards,

adelasiri · ‎12-22-2006

Thank you guys for your replys ,

do you mean i cannot even think of workaround solution like Policy Nat ....

if not is it easy to upgrade to PIX 7.0 with out changing the configuration or reconsider it ...

Thanks

m-haddad · ‎12-22-2006

Hello Adel,

Even with policy NAT the PIX won't detect which ISP is down. You need the tracking option as I specified and this requires Ver 7.0.

Upgrading to ver 7.0 is not complicated it all. First you need to check your hardware requirements and then plan the upgrade. Below you can find a link to the upgrade process and what has been changed from ver 6.x to ver 7.x.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml

Please let me know if you need anything further,

Regards,

systems · ‎12-29-2006

Hi,

The firewall supports only one default route through outside for Internet, so route-map or policy routing has to be enabled on an external Interface i.e router or L3 Switch.

You can look at configuring the following option.

1. Enabling route-map on the core switch which will provide routes to the respective ISP.

2.If you have both the ISP link getting terminated on the same router enabling the route map on the router itself.

3. Natting the Ip address between ISP in the router.(possible but trouble shooting becomes complicated).

4. If you have two individual routers for both the ISP , you could run HSRP accross the router and have the firewall's default route to that of the Hsrp virtual address. Then add policy route in both the routers (based on source ip address) to route-traffic between the ISP.

Hope this helps.

Regd

Ravi