Cisco PIX 525 and Multiple Outside Interfaces

Unanswered Question
Aug 24th, 2010
User Badges:

Hello, I was wondering if someone can help, I am fairly new to PIX's but have been using firewalls for a long time so please bear with me.


We are in the process of integrating a new ISP into out infrastructure, During this there will be a period of time where the both WAN links are active to allow a cross over for our external services. I would like to know how to have two active outside interfaces to allow us to migrate our customers from one service to another without taking the Old Link down.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
chrismstafford Tue, 08/24/2010 - 03:17
User Badges:

I am happy to keep the defualt route on the old link until it is turned off, then change the defualt route. I just want to allow people in via the new link so we can get customers to test the service before we cease the old lines

paolo bevilacqua Tue, 08/24/2010 - 03:21
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Yes, once you switch the default route and everything will be switched, not a problem.

chrismstafford Tue, 08/24/2010 - 03:22
User Badges:

Does this mean I can have to interfaces named outside1 and outside2 set to a security level of 0

paolo bevilacqua Tue, 08/24/2010 - 03:25
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Yes.


Please remember to rate useful posts clicking on the stars below.

paolo bevilacqua Tue, 08/24/2010 - 12:57
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

From the document linked above:


Note: Load balancing does not occur in this example.


That is the limitation I was referring to before. Primary/secondary links is easy, load balancing, not sure. A router does that without any problem.

Jerry Ye Tue, 08/24/2010 - 13:19
User Badges:
  • Cisco Employee,

I don't see any where in the thread about a requirement for load sharing. Also, I am 100% with you on load sharing in the PIX/ASA.


Regards,

jerry

Nagaraja Thanthry Tue, 08/24/2010 - 05:12
User Badges:
  • Cisco Employee,

Hello,


If you have two ISP connections and you would like to use both of them until

they are active, you can certainly do that. Normally, the firewall allows

only one default route and the other one need to be used as a backup route.

However, through a workaround, you could send a specific traffic type

through the other link. Also, if you just want to test, you can add specific

route statements on the pix sending traffic destined to specific

hosts/network through the second link. Check the following examples:


If you would like to send traffic destined to specific host/network via second link:
--------------------------------------------------------
global (outside2) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0


route outside 0.0.0.0 0.0.0.0
route outside2 64.1.1.0 255.255.255.0 route outside2 100.1.1.1 255.255.255.255



If you would like to use the second ISP as a backup link:
--------------------------------------------------------


global (outside2) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0


route outside 0.0.0.0 0.0.0.0 1 track 1 route outside2 0.0.0.0 0.0.0.0 254


sla monitor 123
type echo protocol ipIcmpEcho interface outside  num-packets 3  frequency 10


sla monitor schedule 123 life forever start-time now


track 1 rtr 123 reachability


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml


If you would like to send specific traffic type via second link:
-----------------------------------------------------------


route outside 0.0.0.0 0.0.0.0 1 route outside2 0.0.0.0 0.0.0.0 254


static (outside2,inside) tcp 0.0.0.0 80 0.0.0.0 80 netmask 0.0.0.0


global (outside2) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0


Hope this helps.


Regards,


NT

paolo bevilacqua Tue, 08/24/2010 - 03:14
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

I have found that the ASA, sw 8.2.3 is unable to use two default routes (with NAT), as opposed to a router that is able to.


Perhaps by manipulating the nat statements carefully, but certainly is not a strightforward process.

Actions

This Discussion

Related Content