I have 2 Sites connected with a Private T1. Each Site has a Internet Connection with the Same provider. Each site has a Pix firewall and 2 1721 routers one inside one outside. How can I make each internet link be a fail over for the other, I had the ISP setup BGP. But I'm still not sure if that will work because of my 2 Firewalls. I have opened a Case on this also.
Without knowing more about your environment it seems that a pretty simple approach should work. If you are running BGP with the ISP then they should be advertising to you a default route. I am not sure that there is much need for the ISP to advertise much more than that to you. So you would be dynamically learning a default route from BGP. You should be able to configure a floating static route which would point accross the private T1 to be used if the default route from BGP becomes unavailable.
I understand that but if traffic is flowing in and out either T1 (based on shortest path) and traffic goes out one T1 and back in the other that will not work because I have 2 pixes and only one will know about the NAT translation for that conversation?
Or is there something that forces traffic always back in the same T1 it came from.
Or Am I over thinking it, Just put all the same NAT translations on Both Firewalls.
Another question should I run IBGP or OSPF inside?
The answer will depend a bit on exactly how you have configured things. But what you want is for each firewall to do a unique translation. Then whatever goes out firewallA will have a unique translation and the response should come back through firewallA not through firewallB.
Probably you should run both IBGP and OSPF. If you are running EBGP on a couple of routers then you should run IBGP between them. This is to maintain consistency in what BGP learns and advertises. You should also run a separate interior routing protocol like OSPF. Running IBGP is really not a replacement for running an interior protocol.
All My external IP addresses are part of BGP and can come in either T1. All ip addresses are announced on both T1s. So if traffic leaves my Site A to a site ( then I'm afaid the return traffic Might come back in my Site B because Site B has a shorter Metric.
Each PIX will nat to its public address or addresses, which means return traffic, will return back to the same device as the dest address will be the public address of your pix.
With regard to achieving redundancy with the pix firewalls in between, you can do it, but you have to use a dynamic routing protocol. Three ways that I can think of.
1. receive a default from the SP and run ibgp between your external and internal router and allow bgp via the pix. You can then redistribute the default in your igp.
2. The PIX can run OSPF and runs two processes, internal and external. If you receive a default from your ISP via BGP, the external router can then issue a conditional default to the PIX via the external ospf process. Redistribute the default from the PIX external to the PIX internal which will appear in your internal ospf network, assuming you run ospf. If either of the links fails the default will be withdrawn by the extarnal router, therefore the pix which has lost its connection to the internet will no longer advertise a default. Also the pix supports md5 authentication,
3. Configure a gre tunnel between the internal and external router and run ospf. Have to allow gre via the pix.
From the security prospective and ease of implementation, I personally prefer option-1.
This all sounds good, I'm anoucing 2 class C blocks via BGP. So On My pixes have the NAT pools be different. But on all my Static NAT translation just make those the same, So My Site A Mail server will allways have the same ip address regardless of which firewall it goes out.
On the internal redundancy
1. I have 1 inside router that is a 2611 will that handle the IBGP?
2. I had OSPF setup once before the BGP setup , It seemed to Fail over fine but would never switch back once the line was up again, I have upgraded to PIX 7.1 since then. But I have Everything static now.
3. I also have a VPN 3005 AT each side and VPN users, and A DMZ on the PIX. With IBGP would the pix it self get the new default route?
Thanks for Everyone's Help.
I'll just keep on posting..
This is a good example. Almost exactly what I want to do.
Except It says the Pixes are not doing NAT, I have not met any ISPs that let me route my private addresses directly to them have you?