Internet link failover

Unanswered Question
Mar 25th, 2008

Hello - I have a PIX 515 in which I have a T1 line that I use for my internet access. I just added a new line and here is what I want to do:


Take the internet traffic off the old line (a.a.a.a) and put it to the new line (b.b.b.b).


Use the old line as a failover for the new.


Now I thought it was as easy as this:

route outside 0.0.0.0 0.0.0.0 b.b.b.b 1

route outside 0.0.0.0 0.0.0.0 a.a.a.a 2


Thinking the high metric for new line would work unless it was down, and then traffic would go out the old line again.


I am a noob with PIX, so let me know what I am doing wrong.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cjake7777 Tue, 03/25/2008 - 12:58

Is the pix outside interface plugged into a router with both t1s? If so check its defualt gateway, make sure its priority is b.b.b.b also. If its a switch the same principle applies.

If you are using a different interface for the t1, make sure you use it and not outside ex: route newinterface 0.0.0.0 0.0.0.0 b.b.b.b 1

adcorbett_2 Wed, 03/26/2008 - 03:55

Thanks - Both lines are plugged directly into the pix, and our router just has a default route pointing to the inside interface of the pix (ex. ip route 0.0.0.0 0.0.0.0 192.168.2.2) And sorry - having the word "outside" in both those lines was a typo on my part!

cjake7777 Wed, 03/26/2008 - 09:18

Your default route (on router) should be to your ISP

ex. ip route 0.0.0.0 0.0.0.0 b.b.b.b 1

If the interface connecting from to your pix is private, just put your networks pointing to that interface on the pix.

ex. ip route 172.16.0.0 255.255.0.0 192.168.2.2

and possibly

ip route 192.168.0.0 255.255.0.0 192.168.2.2

I hope you get the idea.... Make the routes going to your pix more specific.


Then on the pix make sure your default route is pointing to the correct interface. Like in the previous post. And make sure you have an NAT statement going out that interface. You can use the same one that you had going out your outside. (make the new interface looks almost the same as the outside interface)


Jake

laurent.geyer Wed, 03/26/2008 - 09:49

Can you be a bit more specific about your topology? How exactly is this new line terminated? On a router?

adcorbett_2 Thu, 03/27/2008 - 04:14

Sure - yes, the line is a Verizon fios fiber optic line (15Mbs) comes into a dlink router which then plugs into ethernet5 on the pix. From the pix I can ping the provider, but can't ping the provider from anywhere behind the pix, hence, I can't get the web traffic to use that link.

adcorbett_2 Thu, 03/27/2008 - 07:11

Ok - I am going to back up and start from scratch here - I think I may have not explained this very well. I have:


1 T1 (A.A.A.A) terminated at a 1721 then plugged into ethernet0 (if_name outside). Works fine.


1 new Veriszon 15Mb fios fiber optic line (B.B.B.B) terminated at a DLink router then plugged into ethernet3 on the pix (if_name Internet).


I want to be able to use the fiber optic line (B.B.B.B) for internet traffic while keeping the T1 (A.A.A.A) as a standby in case the fiber optic line goes down


My problem is no matter what I try I can't get traffic to flow over the fiber optic line. I know it's working because I can connect directly to the fiber optic line and get out to the net. I am attaching the config for my pix. Take a look and let me know what I need to do to get this to work. Thanks!



Attachment: 
cjake7777 Thu, 03/27/2008 - 07:54

you need a global statement for the internet interface and track statements so

global (internet) B.B.B.B netmask 255.255.255.255

and

route internet 0.0.0.0 0.0.0.0 B.B.B.B 1 track (your dlinks gateway)

route outside 0.0.0.0 0.0.0.0 A.A.A.A 5


you need to make sure your internet route has the track statement, when it goes down, it will use the outside interface.

adcorbett_2 Thu, 03/27/2008 - 08:06

Jake thanks , I really appreciate your patience. So just so I have this straight - right now I have

b.b.b.1 - Verizon side router - their end

b.b.b.3 - Dlink router - my end

b.b.b.4 - Internet interface on my pix.

b.b.b.5-b.b.b.6 - open for me to use.


should my config, based on what you said look like this?

global (internet) B.B.B.1 netmask 255.255.255.255

route internet 0.0.0.0 0.0.0.0 B.B.B.3 1 track

cjake7777 Thu, 03/27/2008 - 08:13

global (internet) B.B.B.6 netmask 255.255.255.255

route internet 0.0.0.0 0.0.0.0 B.B.B.3 1 track 1

track 1 rtr 10 reachability


I frogot that last line... its been awhile since i used the track statement

adcorbett_2 Thu, 03/27/2008 - 08:41

Ok - still not working when I do that but I think I see why. I cannot ping from b.b.b.4 to b.b.b.3 even though I have a cable going from one to the other on the other side of the room, green lights on both ends and an up/up on the interface on the pix. Whats missing here?


Also - the 'track' command is an unknown on my pix - is that a later version command?

cjake7777 Thu, 03/27/2008 - 08:50

Yeah track is on a later version, not really an issue.

changes:

route outside 0.0.0.0 0.0.0.0 A.A.A.A 10

route internet 0.0.0.0 0.0.0.0 B.B.B.B 1

The INternet_acl looks to be in error. its going to network A and needs to be B.

Might want to take off the "access-group Internet_acl in interface Internet" just to test.

Also once you change the routes, go to www.network-tools.com and see what your IP is.

adcorbett_2 Thu, 03/27/2008 - 09:20

Ugh - if wasn't bald I'd be pulling my hair out. Tried the above, still no go. It's got to be something simple that I am missing. Now, can I tell the pix to only use that link for http/https traffic and everthing else continue to use the old link? Would that make this easier? I still have to figure out why I can't ping the dlink from the pix.


Did I already tell you I appreciate the help?

cjake7777 Thu, 03/27/2008 - 09:33

It would not be eaiser to send all www traffic out one interface.

Try this for pings

access-list Internet_acl extended permit icmp any any echo-reply

access-list Internet_acl extended permit icmp any any time-exceeded

access-list Internet_acl extended permit icmp any any unreachable


have you done a clear xlate ? That might be all it is. Also please post an updated config.

adcorbett_2 Thu, 03/27/2008 - 10:06

Ok, I added those - it choked on the 'extended' part, so I just added them to the acl itself. Did the clear xlate as well. Here is the updated config. Thanks!


ALSO - I added the last octet to the addresses to see if that helps at all.



Attachment: 
cjake7777 Thu, 03/27/2008 - 10:23

Have you tried to ping past the router from your desk.

ping 4.2.2.2

then trace to it and make sure its going out your outside ip address. Alos go to www.network-tools.com and verify the IP. I need know that result. It looks like everything is there.

adcorbett_2 Thu, 03/27/2008 - 10:35

I had a continuous ping going to google while I made the change and it dropped as soon as I added the route Internet 0.0.0.0 0.0.0.0 b.b.b.3 1 command. I had to revert to the original config and have to refrain from testing here for a while - the office is getting ticked off at me. I will tackle this again tonight. I am thinking a restart of the dlink and pix.

Actions

This Discussion