03-17-2008 04:47 AM - edited 03-11-2019 05:18 AM
hello experts, my firewall has to wan interfaces wan1 and wan2, each one connected to a dsl router. and i configured the rules on the pix firewall to allow outgoing traffic from the lan out wan1 and wan2 but i discovered that wan1 only can connect the lan to the internet and when i tried that on wan2 i found no internet and after checking the logging, i found these messeges concerning wan2 interface:
unhandled_local
drop
disallowed_sender
drop
invalid_arp_sender_ip_address
drop
i appretiat quick reply, because this is a critecal issue at my customer, thanks alot
03-17-2008 05:11 AM
I am trying to answer this at the middle of my work as you mentioned this is very critical at your end...
Pix being a security device does not support two default routes
with same metric on it. Yes, you can put two default route with fidderent metric as
follows:
route outside 0 0 (T1 router IP) 1
route OUT2 0 0 (fiber router IP) 2
But this would not accomplish our goal as this would be a good scenario for a backup
gateway (just incase if 1st one goes down). Again, here we need to note that if the pix
sees the outside interface has line protocol down, then it would start routing the traffic
to the OUT2 (fiber) interface. This is a scenarion for backup link.
What you are trying to accomplish is again neither constructing a Backup Link nor exactly
a load balancing between two links but something called as policy based routing (PBR)
which is routing based on source packets which pix does not support however, to accomplish
this goal, we need to implement such scenario/topology:
---ISP1----
|---ROUTER---PIX---LAN
---ISP2----
Now with this topology, we can send all the traffic to router (pix default gateway) and
let router do PBR of sending packets to ISP1 or ISP2 based on source ip address.
hope this helps !
03-17-2008 05:30 AM
thanks for your reply, but u mean that i cant do load balancing or backup solutions on pix or asa firewall, and i can do that on the router to the two ISPs, right?
03-17-2008 05:41 AM
yes you cannot do load balancing on ASAs/Pixes
You can definitely configure ISP fallback/Redundancy on ASAs/Pixes
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: