Load Balancing PIX

Unanswered Question
Oct 7th, 2009

Hi All,

we have the following scenario. 2 Firewall Active/Standby are facing 2 routers configured with HSRP.

is it possible in order to achieve LOAD Balancing for certain destination traffic to have 2 static routes having same AD but different next hop ? ( each route pointing to different physical IP address of the router and not to the virtual IP address ).

thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
dhananjoy chowdhury Wed, 10/07/2009 - 23:57

In your case Firewall is in active/standby so at any point of time only one box is forwarding traffic.

jeansamarani Thu, 10/08/2009 - 00:07

yes this is true but my goal is to achieve the Load Balacing via 2 ISP connected each one to the external border router ? can I achieve this by using the above approach ? what's the recommendation ?

dhananjoy chowdhury Thu, 10/08/2009 - 01:18

You can achieve link level redundancy not load balance in your current setup.

Run BGP between your routers and the PE routers. And also an IGP protocol running between your gateway routers.

For acheiving load balancing between your links, you may run GLBP instead of HSRP on your gateway routers. EBGP between your routers and the PE routers. And also an IGP protocol running between your gateway routers.

May be other Gurus here, will give you better suggesstions :)

jeansamarani Thu, 10/08/2009 - 02:10

just to make sure that i got ur point. i need to use GLBP with the combination of eBGP and the IGP on the border routers?

dhananjoy chowdhury Thu, 10/08/2009 - 12:16

yes, you got it.

Few more additions to this I can think of -

- tell your ISP to advertise a default route on both your links via EBGP.

- you will need to configure BGP MED on your gateway routers while advertising your IP subnets to the PE.

Good Luck.

Also you can refer to this link.

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00800945bf.shtml#diag3

Saurabh Kishore Thu, 10/08/2009 - 15:46

Hi,

Though ASA?PIX do not support load balancing or packet shaping but lets say you have 2 ISP's, the traffic can be divided based on the routes you apply on the firewall

a simple example would be

route outside 0.0.0.0 128.0.0.0 x.x.x.x

route outside 128.0.0.0 128.0.0.0 y.y.y.y

here x.x.x.x will be your ISP1 and y.y.y.y will be the ISP2

this way the traffic can be divided between the 2 ISP's however this is just a workaround and is not a complete load balancing solution.

Though Load balancing can be configured on Cisco routers but it is not a supported feature on ASA/PIX firewall.

Let me know if you have any other questions

Actions

This Discussion