I've only got 14 addresses (.240 mask) on each T1, so I have two seperate .240 subnets. To do what you suggest, would I have to subnet further and put the 3550 on a .248 or .252? With the two router on different .240 subnets will I be able to route traffic from both of them to a common subnet on the 3550?

Would it help if I had the T1s reconfigured so either could handle all the traffic instead of each being a seperate subnet?

As you can see I have a little more studying to do. I was told setup HSRP on the switch to give the pix 1 default gateway and then have HSRP handle the details of which router the traffic went to, but it didn't work out that easy as I started looking into it.

There isn't a way to assign two ip address to the outside pix interface, is there. One on each subnet. I was thinking that might be an easy solution, but I couldn't figure out a way to do it.

Anyway, thanks for the advice.

With regard to the address on each T1 your thinking along the right path, it would be easier if you could put both the ethernet ports on the T1 routers into the same subnet. Then you just need a L2 switch to connect the routers and the PIX together. You could also use HSRP if there is only one subnet in use.

On the PIX you can only configure 1 default route out, which could point to the HSRP address. However this wont provide outbound load sharing, you will only use 1 of the T1 circuits.

To overcome this, on each router set up a DF route pointing out via its serial interface.

Configure OSPF to redistribute the static route, using the keyword `default originate' whic will enable OSPF to advertise a default route.

Enable OSPF on the PIX, you should now get 2 default routes in the OSPF route table on the PIX. If a T1 fails, that router stops advertising the DF route, and the corresponding entry drops out of the PIX route table.

Here is some config to make this a bit clearer:

R1

router ospf 20

log-adjacency-changes

redistribute static subnets

network 1.2.3.0 0.0.0.15 area 0

default-information originate

!

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0

PIX

router ospf 20

network 1.2.3.0 255.255.255.240 area 0

log-adj-changes

When you have this working I would advise using MD5 passwords to secure the OSPF updates.

Network 1.2.3.0 is the one between the PIX and the T1 routers.

I've just tried setting up a VLAN on my old pix 520, it wont allow me to do this, I'm not sure if that will apply to your 515E. With a vlan you could have multiple networks, but I'm not so sure if that would help here. Finally this all depends on you running 6.3 on your PIX.

Andy

I checked and I am running v 6.3 on the pix. I'll have to try out your suggestions. Thanks for the config examples. I do have two questions though.

First, these are still dependant on the t1 routers being on the same subnet, right? I think it really makes sense to reconfigure the t1s so they are redundant. I don't know why they were set up this way in the first place.

Second, just to make sure I understand, the 1.2.3.0 is not a new subnet that I have to setup between the routers and the pix, right? It represents the subnet I get from my ISP, or do I miss understand?

FYI, I was able to set up a vlan on the outside interface and assign it an ip address on the other subnet, but I could not get it to ping anything. I'm not sure why, but I also haven't ever worked with vlans ;o)

Thanks for all your help!

Tim

You won't be able to assign more than on ip address on a single pix interface. You don't need HSRP configured since you only have one 3550 switch. The 3550 L3 interface address will be the only default gateway that the pix will see.

What I would do is to configure only two additional 3550 L3 switch for a isp gateway vlan and terminate both router lan connections on that vlan. Run OSPF between the 3550 and the routers to advertise your network to the routers and for the routers to advertise the default router to the 3550. You don't need to waste public addresses on the router to 3550 connection, and just because the T1 connections are on seperate subnets, doesn't mean that you need to use 2 vlans for the 3550-router lan connection.

The .240 mask that you refer to, is that for public addressability into your network? If so, then you can use .252 nets for the router-to-provider connection (the T1 links). The key will be for the provider at the other end to not see all 14 addresses as being off of the T1 link, and instead viewing it as a point-to-point network to save on addressing. The router can have static routes pointing back to the 3550, or the 3550 can advertise them to the routers.

Let me know if this helps.

This sounds like the solution that I am looking for. Your post and the posts by "aacole" seem to be pointing me in the same direction. Just to clarify and see if I understand, here is how my t1s are currently configured.

First Router:

ISP side has a .252 address

Our side has a .240 address and machines that have to be see the internet, ISA server, web servers etc are on the same .240 subnet.

Second Router:

Same deal, only different .252 address from ISP and different .240 addresses on our side.

I've got to put the firewall in there but can only get it to work with one subnet at a time.

What you are suggesting is changeing my side of the routers to .252 address as well, with some of the address given me from the ISP and then routing traffic through the L3 3550 using OSPF on the routers and the 3550. This would place the rest of my address from the ISP between the 3550 and the pix so I could make them avaliable for NAT from the pix.

The pix would have one gateway on the 3550 and the 3350 would route traffic to the routers using OSPF to choose the route. I just need to set up one vlan on the switch?

Am I on the right track, or have I completely misunderstood?

Thanks for the help. I really appriciate it.

Tim

This sounds like the solution that I am looking for. Your post and the posts by "aacole" seem to be pointing me in the same direction. Just to clarify and see if I understand, here is how my t1s are currently configured.

First Router:

ISP side has a .252 address

Our side has a .240 address and machines that have to be see the internet, ISA server, web servers etc are on the same .240 subnet.

Second Router:

Same deal, only different .252 address from ISP and different .240 addresses on our side.

I've got to put the firewall in there but can only get it to work with one subnet at a time.

What you are suggesting is changeing my side of the routers to .252 address as well, with some of the address given me from the ISP and then routing traffic through the L3 3550 using OSPF on the routers and the 3550. This would place the rest of my address from the ISP on each router between the 3550 and the pix so I could make them avaliable for NAT from the pix.

The pix would have one gateway on the 3550 and the 3350 would route traffic to the routers using OSPF to choose the route. I just need to set up one vlan on the switch?

Am I on the right track, or have I completely misunderstood?

Thanks for the help. I really appriciate it.

Tim

You would need two vlans on the 3550 switch. One vlan is for the firewall outside connection (fw-to-3550), and one is for the 3550-to-isprouter connections. By using two vlans, you would force the traffic to flow thru the 3550 L3 interface.

The other items to consider depend on how you plan on using the addresses that both isp's gave you.

For example: provider a has an entry in its dns

for your web server, say myhost.com with an ip of a.a.a.a and the ohter provider (provider b) has the same name (myhost.com) in its dns but its address is b.b.b.b.

The issue is that the pix will only have one nat entry for your server either static (in,out) a.a.a.a i.i.i.i netmask 255.255.255.255 or static (in,out) b.b.b.b i.i.i.i netmask 255.255.255.255. The effect is only one isp's entries would win out.

To solve that you can perform nat on the 3550 to translate b.b.b.b into a.a.a.a (or vice versa) so that the pix will see what it expects to see.

I would meet with both providers to see if they can run some sort of bgp or ospf between them on the router-to-3550 subnet to allow just one set of addresses to be used for your servers and record consistent entries in their dns.

The other issue deals with how each provider will treat the ip address that the other one gave you. hey have to agree to route those addresses over either link - some providers do what is called ingress/egress filtering - so that provdider b will allow the a.a.a.x addresses allocated by provider a to flow over the t1 link thru their network and back, and provider a will do the same with the b.b.b.x addresses.

The issue I raised above will come into play regardless of how the NAT is done, because the end-user will only work with one address given by whatever dns server answered their name query, and they will not have knowledge of the T1 addresses and redundant connections into and out of your network.

All in all, it may be easier to use just one set of addresses (except for the t1 links - for those use the seperate subnets) and have the providers be consistent in the dns name record and address entries, and provision for allowing traffic sent and received by you to cross both of their links (run ospf or bgp between the providers for the one set of addresses).

Both T1s are from the same provider and right now, they are not redundant, so the traffic for each is unique and I shouldn't have the problem you refer to.

Why do we have two T1s that are not redundant? That is a good question. I'll have to ask the guy I inheritated them from ;o)

Tim,

I seem to have stopped receiving email updates when posts are added to this (amd all other) threads, so missed your question a few days back.

Can you get your provider to allocate addresses in the same address space on both T1 router ethernet ports. If you can you only need a L2 switch to connect the PIX and the 2 routers together.

I do feel that adding another layer 3 device here is just adding complextity. Better to keep it as simple as possible.

Also, remember that the PIX will translate inbound packets via the static and ACL, if the packet matches then it will be translated. So you can use one of your subnets across the routers and the PIX, the other you can use only for inbound static connections, I know this sounds a bit screwy but it does work. Your ISP sets up their routing to the 2nd subnet with the outside address of the PIX as the next hop.

I'll tick the `notify by email' box, but I dont expect it will work anyway.

In addition to outbound loadsharing, as both links are from the same ISP you should also be able to get inbound loadsharing as well.

Andy

I think that I am going to take your suggestion and talk to my isp to see if they can configure the t1s to both have the same subnets and do loadbalancing on there end. I seems the most simple configuration, on my end at least. Thanks for all your help.

Tim