09-15-2009 06:58 AM - edited 03-04-2019 06:03 AM
Hello All,
I have a site that has 2 locations connected by a point to point. Each site reaches the Internet through a gateway local to it but can also get to the Internet out the other site's gateway if need be by just changing the default gateway on the host computer. I would like to set up some redundancy that says if teh Internet cannot be reached from Site A using Site A's gateway then use Site B's gateway. At each site there is a PIX 501 service as the DG and then a router in front of the PIXs for Internet Connectivity. I would like this to happen automatically. Any help is appreciated.
All replies rated!
09-15-2009 07:30 AM
Angel
Could you just clarify. You say at each site the DG is the pix 501. And you also say that if you need the host to use the other site for internet you simply change the default-gateway.
What do you change the default-gatway to ?
Jon
09-15-2009 07:47 AM
Hey Jon,
If the DG at Site A is the inside interface of the PIX at 10.0.0.1 to get hosts at Site A to use the DG at Site B i just change the DG on teh host to 192.168.0.1 which is the inside interface of the PIX at Site B. Works fine manually. I would love a solution that reroutes if the router is up but the ISP service is down, the router is down or the PIX is down but I will take what I can get.
09-15-2009 08:09 AM
Angel
The sites are connected via a point-to-point link. What devices are you using for this link.
Basically you are going to need a router(s) somewhere within your site(s) to make this work. The pix 501s don't have the functionality for this.
Jon
09-15-2009 10:16 AM
Hello Jon,
we have a 2801 on one side and a 2621XM on the other side
09-15-2009 11:12 AM
Angel
Then you should be able to automate this with reliable object-tracking. You will however need to change the default-gateways from the pix firewalls to the LAN interfaces of the routers.
Is this possible for you to do ?
If it is i will get a config posted up for you tomorrow.
Jon
09-15-2009 12:41 PM
Thanks Jon,
If we change the DG from the PIX to the routers then the outbound traffic could not be inspected and that can't happen. Can the ASA meet the requirements
Thanks!
09-15-2009 03:46 PM
Angel
"f we change the DG from the PIX to the routers then the outbound traffic could not be inspected and that can't happen. Can the ASA meet the requirements"
Sorry, didn't explain this very well. The default-gateway would be changed to the router but outbound traffic ie. to the Internet still has to go via the pix firewalls ie. you would add a default-route to each router pointing to the corresponding pix.
Would that be okay ?
Do you have ASA devices handy ?
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: