Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
355
Views
2
Helpful
2
Replies

Multiple ISP's and Cisco Pix ver 7.0

ray.ortiz
Level 1
Level 1

‎10-11-2005 08:20 PM - edited ‎02-21-2020 12:27 AM

I have a customer that has two isp connections and is looking for bi-directional redudancy. (Inbound and outbound). Currenly have a Cisco Pix 7 with 6 interfaces total. I have used devices in the past from Fatpipe and Linkproof that provide this functionality. However, it is not an option here because of price concerns.

The customer does not want to run bgp between providers. They currently have only a couple of internet accessble devices that they have. they have accepted the fact that these sites in case of failure will be down until DNS records are adjusted (web-site for instance). Another requirement is to terminate a handfull of vpn's as well.

What would be the best way to handle this scenario:

1) Introduce a cisco router and terminate both isp's on the router (both are ethernet hand offs).

2) configure the pix using subinterfaces and multiple contexts (probably can not do this because of lack of vpn support for multiple contexts.

3) there will be a dmz interface that has the inet accessible devices. Can these devices have multiple nat's in different contexts. ( ie. isp1 - nat 10.10.10.1 - 66.1252.231.1 and isp2 - nat 10.10.10.1 - 207.50.196.5)

Any help will be appreciated.

0 Helpful
2 Replies 2

rpathani
Level 1
Level 1

‎10-12-2005 03:04 AM

Thanks for a detailed explanation. Below are few points i would like to mention:

1) If you hook one isp on say pix outside interface and the other isp on say dmz interface of pix but due to the fact that pix can have only one default route with same metric hence, the traffic would always be routed out through one of the route with least metric figure. This only holds good as a backup link. In such case, you would have default route as follows:

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

and

route dmz 0.0.0.0 0.0.0.0 y.y.y.y 2

so incase if the first isp (x.x.x.x) goes down, the traffic would start flowing through the second isp (y.y.y.y).

NOTE: Pix should see a line protocol down on its outside interface to start routing traffic form dmz.

This scenario would not accomplish your goal.

2) You are correct, when we configure pix for transparent firewalling, it starts acting like a dumb hub with an additional functionality of supporting access lists to control flow of traffic and loses its precious features like vpn as mentioned by you. This feature was introduced in pix so that you do not have to redesign you ip addressing scheme while introducing pix in your production network. This again would not be a suitable solution in your case.

Such kind of topology would fix your issue:

isp1-----

|

Router---Pix---Local Network.

|

isp2-----

Here, you need to make sure that you pix gateway is Router running ospf process and doing the redundancy.

Rahul Pathania

rpathani@cisco.com

ray.ortiz
Level 1
Level 1
In response to rpathani

‎10-12-2005 05:20 AM

Rahul thanks for your reply.

If I am understanding correctly. We would have to introduce a router that connects isp1, isp2 and the pix. We would have to be running ospf between these devices. From a pix perspective connecting to the router, what ip address information will that need to have. It looks like it will need to be an RFC1918 address? If isp1 goes down and a user need to connect to the webserver on the dmz. The firewall will have to have two nats one from isp1 and isp2? Is this possible?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card