Pix with 2 external ip's from separate ISP's

Unanswered Question
Jan 30th, 2007

We have 2 external interfaces and 1 internal interface performing NAT on our Pix-525. We would like to use our new internet connection along side our existing connection in such a way that outbound traffic (web, ftp, etc.) uses the new connection and all old static NAT's remain in place and accessible from the original public address space.

Our thought was to create the second extenal interface (global) and have it perform NAT for our internal network while preserving all of the connectivity to the old external address space from the outside.

We have many users that are relying on our current public address space for connectivity into our network via the pix. What would be the best way to go about accomplishing this? Any input would be appreciated.

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 01/30/2007 - 14:09

I would use a different physical interface (a DMZ) for the old network. That would keep it cleaner IMO.

epanger Wed, 01/31/2007 - 05:46

We have 3 physical interfaces on the machine. We would place the 3rd interfce in the new external address space.

Essentially, we are unsure how to do this without affecting the existing static NATs on the old address space. What we were thinking was we would change the default route on the pix to the new address space's router, but we want to make sure that the old virtual addresses that map to server/ports inside are still accessible without any problems...

As always, thanks for the reply.

mklaphek Tue, 01/30/2007 - 17:34

The issue is that you cannot define more than one default route (with the new code, you can define three but only on the same interface). The ideal solution would be to use a router, where you could do policy-based routing to make these decisions for you.

I think that your idea would work, but I would probably try to do policy NAT.

Hope this helps.

epanger Wed, 01/31/2007 - 05:53

Forgive my lack of in depth knowledge, but you mean that we would create a rout-map on our external router that would have interfaces with both address spaces setup. Then we would be able to say something like: everything originating from the old address space, use the old route, everything originating from the new address space, use the new route?

I am unfamiliar with route-maps, could someone point us to an example?

I very much appreciate the feed back. Thanks.

If you have a single firewall and single Router (for both ISP), should be easy.....but you might need to modify existing IP address of the firewall.

Quick example with 1 router 1 firewall by using firewall 1 external interface only(Double NAT, at firewall and router).

1. ip addr inside 1.1.1.1 255.255.255.0

2. ip addr outside 2.2.2.2 255.255.255.0

3. ip addr of the router (e0) = 2.2.2.3

4. route outside 0 0 2.2.2.3 <--- firewall default route to router

5. ip addr of ISP1 (s1) = 4.4.4.4 , ISP2 (s2) = 5.5.5.5

6. Define your NAT at firewall

(i) static (inside, outside) 2.2.2.9 1.1.1.9

(ii) static (inside, outside) 2.2.2.10 1.1.1.10

7. Define NAT in the router

8. Using route-map

(i) Create 2 ip policy route-map at router interface e0

- ip policy route-map ISP1

- ip policy route-map ISP2

(ii) Define access-list

- access-list 1 permit 2.2.2.9

- access-list 2 permit 2.2.2.10

(iii) Define route-map

- route-map ISP1 permit 10

match ip address 1

set interface or you can define next hop address

- route-map ISP2 permit 20

match ip address 2

set interface interface

Please verify.....

If you have 1 firewall and 2 ISP routers..........slightly troublesome....

Actions

This Discussion