cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
728
Views
0
Helpful
10
Replies

Configuring ASA - PIX with 2 internet connections.

wwanjohi123
Level 1
Level 1

Hello,

I need to configure an additional Internet link to my pix firewall. I have only one existing internet link that i already working for all functions in the organization.

The second internet connection will be used only by a group of users to a particular website.

The same ISP is providing both internet links and the same DNS servers will be used for both internet links.

There is a default route for he first internet link with the next hop being the interface of the router for the first link.I have created a static route for the second link with specific source and destination with the next hop being the router to the second link.

NAT is fine, from my client PC i can ping to the second link when the first outside interface is shut. But is can't browse the website. It looks like all traffic follows the first link.

There is a switch in between the PIX and both routers, but with diff

Thanks Winnie.

2 Accepted Solutions

Accepted Solutions

alanajjar
Level 1
Level 1

Hi,

As I know, the ASA cannot load share between two links, you can configure the second line as a backup line, that will work only when the first line goes off, see the linl below :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

if you want to use both lines at the same time, you need to use a router, the router can load balance between two lines.

regards

View solution in original post

Hi,

you can connect the router to the two lines, and put the firewall behind the router, by this you will get load balance and secure your network.

regards

View solution in original post

10 Replies 10

alanajjar
Level 1
Level 1

Hi,

As I know, the ASA cannot load share between two links, you can configure the second line as a backup line, that will work only when the first line goes off, see the linl below :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

if you want to use both lines at the same time, you need to use a router, the router can load balance between two lines.

regards

Thanks so much, what other technology or firewall can i use because i need to secure my network using a firewall. If i use a router the security will be compromised.

Hi,

you can connect the router to the two lines, and put the firewall behind the router, by this you will get load balance and secure your network.

regards

You can use an IOS Firewall router, instead of one that doesnt have the IOS Firewall feature-set. With the features that come with this you can improve your security.

Mark Senteza

Hi,

But the IOS firewall router does not provide the advanced security features that the ASA can. it does basic firewalling only. Also you need to take the performance issue into consideration, specially if you have large network. For best results in routing and security , you need to use seperate device for each.

regards

Thanks guys, this is helpful information.

i will try to implement the best way possible.

Hello,

I think that, I mean in the router, you can do Policy-based Routing (PBR) and with that you can do “load shares”, but that's a possibility… you have to tried.

You put the too public IPs in the outside interface of the firewall (ASA or PIX) doing NAT (policy NAT) with a unique default gateway.

Then you can do PBR in the router.

Rui Capao

Thats true, it doesnt provide the advanced security features that an ASA or PIX would.

Sorry not to make it clear, but i had meant that the router you had mentioned connecting the two lines to that sits infront of the firewall can be an IOS Firewall router. Then keep the firewall too.

I believe that a router with an IOS Firewall feature set gives you more possibilities for basic first line defence on the perimeter network even before the traffic hits the external interface of the firewall sitting behind it.

pritish.kemal
Level 1
Level 1

hi i have seen the link that you have given to configure the pix with a backup link. i have one more question based on this. can i have a back up site to site vpn like this. i will make it clear. my primary site to site vpn will work through ISP 1 and if the ISP 1 fails can i configure a backup site to site vpn using another ISP in the same box.

Hello,

I think you can.

First, you have to configure the PIX with “dual ip”, to have a backup isp, in this case isp2.

Then, you have to configure the VPN, point to point, the backup VPN, between the public ip of the isp2 and the public ip of the other site.

But this have a disadvantage, you lose the VPN section to the other site for a wile, and then when the backup VPN is established you can have connection to the other site again. This could be a problem or not, it depends of what you need.

Rui Capao

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: