Two outside interface on PIX 515E

Unanswered Question
Aug 5th, 2007

I have pix515E with 6 interface. Now one outside interface configure. But i want to create two outside interface. That means that two internet connection attach directly on pix515E.

Pls suggest me what is procedure to implemented it.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Sun, 08/05/2007 - 04:19

it really depends on what you're trying to accomplish, as well as a host of other things.

purohit_810 Sun, 08/05/2007 - 11:15

It should work Like this:

(pretending that ip's from ISP1 are 1.1.1.0/29

and ip's from ISP2 are 2.2.2.0/29)

nameif ethernet0 outside security0 {One ISp}

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

nameif ethernet3 ISPN security80 {Second ISP}

ip address outside 1.1.1.2 255.255.255.248

ip address inside 10.1.1.1 255.255.255.0

ip address DMZ 10.1.2.1 255.255.255.0

ip address ISPN 2.2.2.2 255.255.255.248

global (outside) 1 interface

global (ISPN) 1 interface {THIS IS MUST}

nat (inside) 1 10.1.1.0 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

route ISPN 130.239.18.151 255.255.255.255 2.2.2.1 1

Regards,

Dharmesh Purohit

srue Sun, 08/05/2007 - 16:43

the configuration looks ok, so long as you realize the only thing going out ISP 2 is traffic destined for host 130.239.18.151.

Also, you should probably make the security level of ISPN intf 0, just like you would an outside interface - unless you have a specific reason not to. WIth your posted config, any traffic from ISP2 has full access to your DMZ b/c of the higher security level.

akabirbdcisco Sun, 08/05/2007 - 19:17

First all thanks for advice. You are genius.

Two ISP is parallel working or it is back up ?

I have one DMZ location that location I already set mail and proxy server.

I want to configure first ISP represent first Proxy Server and Second ISP represent second proxy located on DMZ location.

Target it that some inside user browse internet through proxy 1 and some inside user browse internet through proxy 2.

Please help me sir

Attachment: 
david.keil Mon, 08/20/2007 - 19:11

I am running into a similar situation as this original requestor. I am running PIX OX v.8.02 and have configured my 2 ISPs using the redundant ISP method. The problem that I have is that I want to have simultaneous access to my WWW/DNS/SMTP servers from either ISP. I tried removing the tracked route and reconfigure as per the previous post with the exception of using an any any rule for the secondary ISP route and setting the security level to 0. The WWW/DNS/SMTP servers are only accessible from the primary ISP. Ideas?

icenterhq Mon, 08/20/2007 - 19:23

get AS and use BGP with cisco router ?

as long as default gateway point to primary ISP all REPLY packets will go to primary.

please note that your second isp is REDUNDANT.

you always have one path to\from world.

if you want to share some load you can try to define routes for some networks to different ISP. for example: route 80.0.0.0/8 to primary

90.0.0.0/8 to secondary and so on :)

david.keil Mon, 08/20/2007 - 20:03

BGP is not an option as the two connections are over an ADSL links. These links are terminated on a Cisco 2651XM with Advancedenterprise 12.4 IOS w/2 WIC-ADSL. I am using private IP addressing on my two outside interfaces on the Cisco PIX515E. Ideaas?

russ Tue, 08/21/2007 - 04:00

Put a Cisco router inbetween the ISPs routers and the Pix. Pix will nat inside addresses to ISP addresses, then configure policy based routing on the router to policy-route the nat addresses to each of the respective ISPs. I have done similar to this before, whereby a customer wanted to aggregate 4 x ADSL links with each link using a different public IP address range, using a single ASA FW and a 2821 router with 4 ADSL interfaces.

david.keil Tue, 08/21/2007 - 08:39

I was thinking that I can do just that. I have the 2651XM and the PIX515E configured as follows:

-2xWIC-ADSL installed in 2651XM

-2xBVI interfaces configured on 2651XM to 2 separate ISPs.

-2xVLANs pointing to outside interface on PIX515E

-Outside interface on PIX515E is configured with 2xVLANs

-Each VLAN has been configured with security-level 0

-Both outside VLANs are using Private NAT IP addresses that are only routeable to the 2651XM

-I have a SMTP in DMZ1, 2xDNS servers in DMZ2, a Citrix server in DMZ3 and 2xWWW servers in DMZ4 configured on the firewall. Each of these servers have been configured for external access using PAT on the inbound and global NAT for outbound communications.

Using this configuration, if I am in the 2651XM router and perform a test to either one of the "outside" VLANs that are PAT'd to the appropriate server by using telnet 172.31.69.209 domain or 172.31.208 domain, I receive successful tests. But if I perform the same tests to the BVI interfaces (this is where the ISP addresses are configured) I only receive a successful response from the ISP that is configured with the default route on the PIX515E. So you are saying that policy based routing will resolve this issue?

russ Tue, 08/21/2007 - 10:04

My scenario didn't necessitate the need for vlans or BVIs. It seems in your scenario you should be able to use PBR to route traffic intended for ISP2, ignoring the default-route configured for ISP1.

In my case by using nat on the ASA and PBR on the router, I was able to load-balance traffic so that email was dedicated to ISP1, users with even IP addresses used ISP2, users with odd numbered IP addresses used ISP3 (they did not use a proxy) and VPN was dedicated for ISP4.

david.keil Wed, 10/10/2007 - 19:54

I would like to bump this one to the top again...I have made some modifications that is yielding some positive results. Here is how the topology has changed...instead of 1 router w/2 ADSL WICs installed with a single crossover connecting the Ethernet0 of the PIX515 to the F0/0 of the 2651XM I have two 2651XM routers w/1 ADSL WIC that are using VLANs connected to a Catalyst using trunk ports. I am now able to access both networks simutaneously for all the servers that are sitting behind the PIX. The only thing that I am not able to do is to use IPSec connections to the standby outside interface. I have confirmed that the routers are identical with NAT'ing with the exception of the IP address differences with the different networks. Ideas?

Actions

This Discussion