Multiple networks routed to single pix interface?

jeffdanderson · ‎11-12-2005

Scenario:

1 cisco 2801 that has 2 t1's going into it. The t1's are from seperate providers, so two differnt networks.

The t1's each have an additional /30 block of addresses routed to them

t1:1 network 1.1.1.0/30 has network 1.1.2.0/30 being routed to it.

t1:2 network 2.2.2.0/30 has network 2.2.3.0/30 being routed to it.

There is a pix 501 connected to fa0/1 on the 2801.

How the additional /30 networks are being used:

Host 1 is the router fa0/1 interface and host 2 is the pix outside interface.

Right now the pix can be reached via 1.1.2.2. The client also wants to be able to reach the pix using 2.2.3.2.

Currently you can ping fa0/1 on the router using either the 1.1.2.1 address or the 2.2.3.1 address. The client wants to be able to reach to pix using either of the networks associated to the fa0/1 interface. The problem is the pix can only have one network on the outside interface. So i am trying to find a solution to reach the pix using either 1.1.2.2 or 2.2.3.2 in case one of the t1's go down.

Right now 1.1.2.2 works, i am trying to make 2.2.3.2 work as well.

2801:

s0/0

description Connection to ISP 1

ip address 1.1.1.2 255.255.255.252

s0/1

description Connection to ISP 2

ip address 2.2.2.2 255.255.255.252

fa0/1

ip address 1.1.2.1 255.255.255.252

ip address 2.2.3.1 255.255.255.252 secondary

ip route 0.0.0.0 0.0.0.0 1.1.1.1

ip route 0.0.0.0 0.0.0.0 2.2.2.1

Anyone have any ideas how I can get this to work?

Thanks

jackko · ‎11-13-2005

as you mentioned, the pix will not accept a secondary ip on any interface. thus i guess the requirement is not feasible.

however, if the aim is to provide a backup of remote pix management, you can always establish a session to the router first, then from the router to the pix.

further, it the aim is related to vpn, then i guess the option is to move the vpn termination point to the router instead.