backup and load balancing solution problem

Unanswered Question
Mar 17th, 2008
User Badges:

hello experts, my firewall has to wan interfaces wan1 and wan2, each one connected to a dsl router. and i configured the rules on the pix firewall to allow outgoing traffic from the lan out wan1 and wan2 but i discovered that wan1 only can connect the lan to the internet and when i tried that on wan2 i found no internet and after checking the logging, i found these messeges concerning wan2 interface:

unhandled_local

drop

disallowed_sender

drop

invalid_arp_sender_ip_address

drop

i appretiat quick reply, because this is a critecal issue at my customer, thanks alot

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
abinjola Mon, 03/17/2008 - 05:11
User Badges:
  • Cisco Employee,

I am trying to answer this at the middle of my work as you mentioned this is very critical at your end...


Pix being a security device does not support two default routes


with same metric on it. Yes, you can put two default route with fidderent metric as

follows:


route outside 0 0 (T1 router IP) 1

route OUT2 0 0 (fiber router IP) 2


But this would not accomplish our goal as this would be a good scenario for a backup

gateway (just incase if 1st one goes down). Again, here we need to note that if the pix

sees the outside interface has line protocol down, then it would start routing the traffic

to the OUT2 (fiber) interface. This is a scenarion for backup link.


What you are trying to accomplish is again neither constructing a Backup Link nor exactly

a load balancing between two links but something called as policy based routing (PBR)

which is routing based on source packets which pix does not support however, to accomplish

this goal, we need to implement such scenario/topology:


---ISP1----

|---ROUTER---PIX---LAN

---ISP2----


Now with this topology, we can send all the traffic to router (pix default gateway) and

let router do PBR of sending packets to ISP1 or ISP2 based on source ip address.


hope this helps !

labib-makar Mon, 03/17/2008 - 05:30
User Badges:

thanks for your reply, but u mean that i cant do load balancing or backup solutions on pix or asa firewall, and i can do that on the router to the two ISPs, right?

abinjola Mon, 03/17/2008 - 05:41
User Badges:
  • Cisco Employee,

yes you cannot do load balancing on ASAs/Pixes


You can definitely configure ISP fallback/Redundancy on ASAs/Pixes

Actions

This Discussion