×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Multiple ISP's and Cisco Pix ver 7.0

Unanswered Question
Oct 11th, 2005
User Badges:

I have a customer that has two isp connections and is looking for bi-directional redudancy. (Inbound and outbound). Currenly have a Cisco Pix 7 with 6 interfaces total. I have used devices in the past from Fatpipe and Linkproof that provide this functionality. However, it is not an option here because of price concerns.

The customer does not want to run bgp between providers. They currently have only a couple of internet accessble devices that they have. they have accepted the fact that these sites in case of failure will be down until DNS records are adjusted (web-site for instance). Another requirement is to terminate a handfull of vpn's as well.


What would be the best way to handle this scenario:

1) Introduce a cisco router and terminate both isp's on the router (both are ethernet hand offs).

2) configure the pix using subinterfaces and multiple contexts (probably can not do this because of lack of vpn support for multiple contexts.

3) there will be a dmz interface that has the inet accessible devices. Can these devices have multiple nat's in different contexts. ( ie. isp1 - nat 10.10.10.1 - 66.1252.231.1 and isp2 - nat 10.10.10.1 - 207.50.196.5)

Any help will be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
rpathani Wed, 10/12/2005 - 03:04
User Badges:
  • Cisco Employee,

Thanks for a detailed explanation. Below are few points i would like to mention:


1) If you hook one isp on say pix outside interface and the other isp on say dmz interface of pix but due to the fact that pix can have only one default route with same metric hence, the traffic would always be routed out through one of the route with least metric figure. This only holds good as a backup link. In such case, you would have default route as follows:

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

and

route dmz 0.0.0.0 0.0.0.0 y.y.y.y 2

so incase if the first isp (x.x.x.x) goes down, the traffic would start flowing through the second isp (y.y.y.y).

NOTE: Pix should see a line protocol down on its outside interface to start routing traffic form dmz.

This scenario would not accomplish your goal.


2) You are correct, when we configure pix for transparent firewalling, it starts acting like a dumb hub with an additional functionality of supporting access lists to control flow of traffic and loses its precious features like vpn as mentioned by you. This feature was introduced in pix so that you do not have to redesign you ip addressing scheme while introducing pix in your production network. This again would not be a suitable solution in your case.


Such kind of topology would fix your issue:


isp1-----

|

Router---Pix---Local Network.

|

isp2-----



Here, you need to make sure that you pix gateway is Router running ospf process and doing the redundancy.





Rahul Pathania

[email protected]

ray.ortiz Wed, 10/12/2005 - 05:20
User Badges:

Rahul thanks for your reply.


If I am understanding correctly. We would have to introduce a router that connects isp1, isp2 and the pix. We would have to be running ospf between these devices. From a pix perspective connecting to the router, what ip address information will that need to have. It looks like it will need to be an RFC1918 address? If isp1 goes down and a user need to connect to the webserver on the dmz. The firewall will have to have two nats one from isp1 and isp2? Is this possible?

Actions

This Discussion