×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

I need help with second ISp and PIX firewall

Unanswered Question

Hello,

I can't figure out this on my own, PLEASE HELP, Thank You

this is what i have now: ISP(1)->2611->PIX->LAN, RIP protocol.

here is sample config of 2611:

interface FastEthernet0/0

ip address 1.1.1.65 255.255.255.224 <----ISP(1)

ip broadcast-address 1.1.1.95

interface Serial0/0

ip address 1.1.1.118 255.255.255.252

interface Serial0/2

ip address 2.2.2.110 255.255.255.252

router rip

redistribute connected

passive-interface FastEthernet0/0

distance 255

ip classless

ip route 0.0.0.0 0.0.0.0 1.1.1.117

ip route 0.0.0.0 0.0.0.0 2.2.2.109

PIX515 config is simple, it takes broadcasted IP's and redestribute them or maps then to static ip inside of LAN

Here is the question, how can i add second ISP: ISP(1)+ISP(2)->2611->PIX->LAN so i can have load sharing and use block of IP form ISP(2) on my PIX?

I know i can have in interface fastethernet0/0 ip address 2.2.2.65 255.255.255.224 secondary, but can i have ip broadcast-address 2.2.2.95?

Can the PIX have secondary IP, PIX only has one outside interface.

If Possible, NO BGP

Thank You

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vcjones Fri, 03/21/2003 - 16:56
User Badges:
  • Silver, 250 points or more

You have a number of choices available to you, see the multihoming white paper on my web site for an overview. Whether or not you need to use BGP will depend upon what applications you are supporting and what your performance requirements are. If you are not using BGP, you have two challenges which you need to resolve: how to let ISP 1 know how to get traffic to you sent from your ISP 2 address (ditto for ISP2) and how to discover that the link to ISP1 is down so you (and ISP 1, don't forget traffic must go both ways to work) know to use the route via ISP 2 (and, of course, ditto for the link to ISP 2).


You also MUST add some protection to your router if you want to keep it under your control. In particular, turning off telnet, SNMP, and other vulnerable services, blocking illicit traffic from the Internet, etc. You would probably find Chapter 8 of my book interesting reading as well, although it may be too advanced. But it does include working examples of router security, BGP multihoming, and multihoming without BGP.


Good luck and have fun!


Vincent C Jones

www.networkingunlimited.com

a.manosca Sun, 03/23/2003 - 20:34
User Badges:
  • Bronze, 100 points or more

Just some notes:


1. PIX does not support secondary addressing.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094767.shtml


2. You can use secondary IPs on the 2611 and I believe there's no issue

with the broadcast address of the secondary IP.



3. You can just add the NAT and global, or static entries on the PIX

for the addresses from ISP2.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml#multi_global



So the remaining issue is load-sharing which was answered on the previous post.

Also, for your servers that support secondary addressing, you have the option of adding

the secondary address on the server and then create a static translation on the PIX.



HTH.

Actions

This Discussion