03-25-2008 12:28 PM - edited 03-11-2019 05:22 AM
Hello - I have a PIX 515 in which I have a T1 line that I use for my internet access. I just added a new line and here is what I want to do:
Take the internet traffic off the old line (a.a.a.a) and put it to the new line (b.b.b.b).
Use the old line as a failover for the new.
Now I thought it was as easy as this:
route outside 0.0.0.0 0.0.0.0 b.b.b.b 1
route outside 0.0.0.0 0.0.0.0 a.a.a.a 2
Thinking the high metric for new line would work unless it was down, and then traffic would go out the old line again.
I am a noob with PIX, so let me know what I am doing wrong.
03-25-2008 12:58 PM
Is the pix outside interface plugged into a router with both t1s? If so check its defualt gateway, make sure its priority is b.b.b.b also. If its a switch the same principle applies.
If you are using a different interface for the t1, make sure you use it and not outside ex: route newinterface 0.0.0.0 0.0.0.0 b.b.b.b 1
03-26-2008 03:55 AM
Thanks - Both lines are plugged directly into the pix, and our router just has a default route pointing to the inside interface of the pix (ex. ip route 0.0.0.0 0.0.0.0 192.168.2.2) And sorry - having the word "outside" in both those lines was a typo on my part!
03-26-2008 09:18 AM
Your default route (on router) should be to your ISP
ex. ip route 0.0.0.0 0.0.0.0 b.b.b.b 1
If the interface connecting from to your pix is private, just put your networks pointing to that interface on the pix.
ex. ip route 172.16.0.0 255.255.0.0 192.168.2.2
and possibly
ip route 192.168.0.0 255.255.0.0 192.168.2.2
I hope you get the idea.... Make the routes going to your pix more specific.
Then on the pix make sure your default route is pointing to the correct interface. Like in the previous post. And make sure you have an NAT statement going out that interface. You can use the same one that you had going out your outside. (make the new interface looks almost the same as the outside interface)
Jake
03-26-2008 09:49 AM
Can you be a bit more specific about your topology? How exactly is this new line terminated? On a router?
03-27-2008 04:14 AM
Sure - yes, the line is a Verizon fios fiber optic line (15Mbs) comes into a dlink router which then plugs into ethernet5 on the pix. From the pix I can ping the provider, but can't ping the provider from anywhere behind the pix, hence, I can't get the web traffic to use that link.
03-27-2008 07:11 AM
Ok - I am going to back up and start from scratch here - I think I may have not explained this very well. I have:
1 T1 (A.A.A.A) terminated at a 1721 then plugged into ethernet0 (if_name outside). Works fine.
1 new Veriszon 15Mb fios fiber optic line (B.B.B.B) terminated at a DLink router then plugged into ethernet3 on the pix (if_name Internet).
I want to be able to use the fiber optic line (B.B.B.B) for internet traffic while keeping the T1 (A.A.A.A) as a standby in case the fiber optic line goes down
My problem is no matter what I try I can't get traffic to flow over the fiber optic line. I know it's working because I can connect directly to the fiber optic line and get out to the net. I am attaching the config for my pix. Take a look and let me know what I need to do to get this to work. Thanks!
03-27-2008 07:54 AM
you need a global statement for the internet interface and track statements so
global (internet) B.B.B.B netmask 255.255.255.255
and
route internet 0.0.0.0 0.0.0.0 B.B.B.B 1 track (your dlinks gateway)
route outside 0.0.0.0 0.0.0.0 A.A.A.A 5
you need to make sure your internet route has the track statement, when it goes down, it will use the outside interface.
03-27-2008 08:06 AM
Jake thanks , I really appreciate your patience. So just so I have this straight - right now I have
b.b.b.1 - Verizon side router - their end
b.b.b.3 - Dlink router - my end
b.b.b.4 - Internet interface on my pix.
b.b.b.5-b.b.b.6 - open for me to use.
should my config, based on what you said look like this?
global (internet) B.B.B.1 netmask 255.255.255.255
route internet 0.0.0.0 0.0.0.0 B.B.B.3 1 track
03-27-2008 08:13 AM
global (internet) B.B.B.6 netmask 255.255.255.255
route internet 0.0.0.0 0.0.0.0 B.B.B.3 1 track 1
track 1 rtr 10 reachability
I frogot that last line... its been awhile since i used the track statement
03-27-2008 08:41 AM
Ok - still not working when I do that but I think I see why. I cannot ping from b.b.b.4 to b.b.b.3 even though I have a cable going from one to the other on the other side of the room, green lights on both ends and an up/up on the interface on the pix. Whats missing here?
Also - the 'track' command is an unknown on my pix - is that a later version command?
03-27-2008 08:50 AM
Yeah track is on a later version, not really an issue.
changes:
route outside 0.0.0.0 0.0.0.0 A.A.A.A 10
route internet 0.0.0.0 0.0.0.0 B.B.B.B 1
The INternet_acl looks to be in error. its going to network A and needs to be B.
Might want to take off the "access-group Internet_acl in interface Internet" just to test.
Also once you change the routes, go to www.network-tools.com and see what your IP is.
03-27-2008 09:20 AM
Ugh - if wasn't bald I'd be pulling my hair out. Tried the above, still no go. It's got to be something simple that I am missing. Now, can I tell the pix to only use that link for http/https traffic and everthing else continue to use the old link? Would that make this easier? I still have to figure out why I can't ping the dlink from the pix.
Did I already tell you I appreciate the help?
03-27-2008 09:33 AM
It would not be eaiser to send all www traffic out one interface.
Try this for pings
access-list Internet_acl extended permit icmp any any echo-reply
access-list Internet_acl extended permit icmp any any time-exceeded
access-list Internet_acl extended permit icmp any any unreachable
have you done a clear xlate ? That might be all it is. Also please post an updated config.
03-27-2008 10:06 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide