cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
645
Views
12
Helpful
7
Replies

Redundant Gateways

angel-moon
Level 3
Level 3

Hello All,

I have a site that has 2 locations connected by a point to point. Each site reaches the Internet through a gateway local to it but can also get to the Internet out the other site's gateway if need be by just changing the default gateway on the host computer. I would like to set up some redundancy that says if teh Internet cannot be reached from Site A using Site A's gateway then use Site B's gateway. At each site there is a PIX 501 service as the DG and then a router in front of the PIXs for Internet Connectivity. I would like this to happen automatically. Any help is appreciated.

All replies rated!

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

Angel

Could you just clarify. You say at each site the DG is the pix 501. And you also say that if you need the host to use the other site for internet you simply change the default-gateway.

What do you change the default-gatway to ?

Jon

Hey Jon,

If the DG at Site A is the inside interface of the PIX at 10.0.0.1 to get hosts at Site A to use the DG at Site B i just change the DG on teh host to 192.168.0.1 which is the inside interface of the PIX at Site B. Works fine manually. I would love a solution that reroutes if the router is up but the ISP service is down, the router is down or the PIX is down but I will take what I can get.

Angel

The sites are connected via a point-to-point link. What devices are you using for this link.

Basically you are going to need a router(s) somewhere within your site(s) to make this work. The pix 501s don't have the functionality for this.

Jon

Hello Jon,

we have a 2801 on one side and a 2621XM on the other side

Angel

Then you should be able to automate this with reliable object-tracking. You will however need to change the default-gateways from the pix firewalls to the LAN interfaces of the routers.

Is this possible for you to do ?

If it is i will get a config posted up for you tomorrow.

Jon

Thanks Jon,

If we change the DG from the PIX to the routers then the outbound traffic could not be inspected and that can't happen. Can the ASA meet the requirements

Thanks!

Angel

"f we change the DG from the PIX to the routers then the outbound traffic could not be inspected and that can't happen. Can the ASA meet the requirements"

Sorry, didn't explain this very well. The default-gateway would be changed to the router but outbound traffic ie. to the Internet still has to go via the pix firewalls ie. you would add a default-route to each router pointing to the corresponding pix.

Would that be okay ?

Do you have ASA devices handy ?

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco