02-27-2008 01:11 AM - edited 03-11-2019 05:09 AM
Hello,
I need to configure an additional Internet link to my pix firewall. I have only one existing internet link that i already working for all functions in the organization.
The second internet connection will be used only by a group of users to a particular website.
The same ISP is providing both internet links and the same DNS servers will be used for both internet links.
There is a default route for he first internet link with the next hop being the interface of the router for the first link.I have created a static route for the second link with specific source and destination with the next hop being the router to the second link.
NAT is fine, from my client PC i can ping to the second link when the first outside interface is shut. But is can't browse the website. It looks like all traffic follows the first link.
There is a switch in between the PIX and both routers, but with diff
Thanks Winnie.
Solved! Go to Solution.
02-27-2008 03:33 AM
Hi,
As I know, the ASA cannot load share between two links, you can configure the second line as a backup line, that will work only when the first line goes off, see the linl below :
if you want to use both lines at the same time, you need to use a router, the router can load balance between two lines.
regards
02-27-2008 04:19 AM
Hi,
you can connect the router to the two lines, and put the firewall behind the router, by this you will get load balance and secure your network.
regards
02-27-2008 03:33 AM
Hi,
As I know, the ASA cannot load share between two links, you can configure the second line as a backup line, that will work only when the first line goes off, see the linl below :
if you want to use both lines at the same time, you need to use a router, the router can load balance between two lines.
regards
02-27-2008 04:15 AM
Thanks so much, what other technology or firewall can i use because i need to secure my network using a firewall. If i use a router the security will be compromised.
02-27-2008 04:19 AM
Hi,
you can connect the router to the two lines, and put the firewall behind the router, by this you will get load balance and secure your network.
regards
02-27-2008 06:12 AM
You can use an IOS Firewall router, instead of one that doesnt have the IOS Firewall feature-set. With the features that come with this you can improve your security.
Mark Senteza
02-27-2008 08:30 PM
Hi,
But the IOS firewall router does not provide the advanced security features that the ASA can. it does basic firewalling only. Also you need to take the performance issue into consideration, specially if you have large network. For best results in routing and security , you need to use seperate device for each.
regards
02-27-2008 09:59 PM
Thanks guys, this is helpful information.
i will try to implement the best way possible.
08-22-2008 01:46 PM
Hello,
I think that, I mean in the router, you can do Policy-based Routing (PBR) and with that you can do âload sharesâ, but that's a possibility⦠you have to tried.
You put the too public IPs in the outside interface of the firewall (ASA or PIX) doing NAT (policy NAT) with a unique default gateway.
Then you can do PBR in the router.
Rui Capao
02-28-2008 02:05 AM
Thats true, it doesnt provide the advanced security features that an ASA or PIX would.
Sorry not to make it clear, but i had meant that the router you had mentioned connecting the two lines to that sits infront of the firewall can be an IOS Firewall router. Then keep the firewall too.
I believe that a router with an IOS Firewall feature set gives you more possibilities for basic first line defence on the perimeter network even before the traffic hits the external interface of the firewall sitting behind it.
08-22-2008 09:00 PM
hi i have seen the link that you have given to configure the pix with a backup link. i have one more question based on this. can i have a back up site to site vpn like this. i will make it clear. my primary site to site vpn will work through ISP 1 and if the ISP 1 fails can i configure a backup site to site vpn using another ISP in the same box.
08-23-2008 05:20 AM
Hello,
I think you can.
First, you have to configure the PIX with âdual ipâ, to have a backup isp, in this case isp2.
Then, you have to configure the VPN, point to point, the backup VPN, between the public ip of the isp2 and the public ip of the other site.
But this have a disadvantage, you lose the VPN section to the other site for a wile, and then when the backup VPN is established you can have connection to the other site again. This could be a problem or not, it depends of what you need.
Rui Capao
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: