Cisco PIX 525 and Multiple Outside Interfaces

Unanswered Question
Aug 24th, 2010

Hello, I was wondering if someone can help, I am fairly new to PIX's but have been using firewalls for a long time so please bear with me.

We are in the process of integrating a new ISP into out infrastructure, During this there will be a period of time where the both WAN links are active to allow a cross over for our external services. I would like to know how to have two active outside interfaces to allow us to migrate our customers from one service to another without taking the Old Link down.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
chrismstafford Tue, 08/24/2010 - 03:17

I am happy to keep the defualt route on the old link until it is turned off, then change the defualt route. I just want to allow people in via the new link so we can get customers to test the service before we cease the old lines

chrismstafford Tue, 08/24/2010 - 03:22

Does this mean I can have to interfaces named outside1 and outside2 set to a security level of 0

Paolo Bevilacqua Tue, 08/24/2010 - 12:57

From the document linked above:

Note: Load balancing does not occur in this example.

That is the limitation I was referring to before. Primary/secondary links is easy, load balancing, not sure. A router does that without any problem.

Jerry Ye Tue, 08/24/2010 - 13:19

I don't see any where in the thread about a requirement for load sharing. Also, I am 100% with you on load sharing in the PIX/ASA.

Regards,

jerry

Nagaraja Thanthry Tue, 08/24/2010 - 05:12

Hello,

If you have two ISP connections and you would like to use both of them until

they are active, you can certainly do that. Normally, the firewall allows

only one default route and the other one need to be used as a backup route.

However, through a workaround, you could send a specific traffic type

through the other link. Also, if you just want to test, you can add specific

route statements on the pix sending traffic destined to specific

hosts/network through the second link. Check the following examples:

If you would like to send traffic destined to specific host/network via second link:
--------------------------------------------------------
global (outside2) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0
route outside2 64.1.1.0 255.255.255.0 route outside2 100.1.1.1 255.255.255.255


If you would like to use the second ISP as a backup link:
--------------------------------------------------------

global (outside2) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 1 track 1 route outside2 0.0.0.0 0.0.0.0 254

sla monitor 123
type echo protocol ipIcmpEcho interface outside  num-packets 3  frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

If you would like to send specific traffic type via second link:
-----------------------------------------------------------

route outside 0.0.0.0 0.0.0.0 1 route outside2 0.0.0.0 0.0.0.0 254

static (outside2,inside) tcp 0.0.0.0 80 0.0.0.0 80 netmask 0.0.0.0

global (outside2) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Hope this helps.

Regards,

NT

Paolo Bevilacqua Tue, 08/24/2010 - 03:14

I have found that the ASA, sw 8.2.3 is unable to use two default routes (with NAT), as opposed to a router that is able to.

Perhaps by manipulating the nat statements carefully, but certainly is not a strightforward process.

Actions

This Discussion

Related Content