Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2 isp 2 PIX on same internal network?

I have an existing PIX 515 failover pair. I am installing a second circuit (more bandwidth needed) and will be using a second PIX 515 failover pair. Both outside interface IPs will be in different networks eventually. Both inside interfaces will be in same net work (x.x.x.16 255.255.255.240). I need to keep the inside firewalls on same network if possible, but testing did not allow traffic to pass on PIX-2. (testing was done with outside networks in same network on 1 ISP link. This worked through small linksys router, but not on PIX) Any advice would be appreciated. I am assuming there is a conflict on PIX due to them both advertising or being in the same networks (x.x.x.16 /27 inside and x.x.x.0 /27 outdside) and connected to them.

Thanks in advance!

Brad Shows

5 REPLIES

Re: 2 isp 2 PIX on same internal network?

>but testing did not allow traffic to pass > on PIX-2.

what does this mean ?

how are you routing packet from your LAN to the Firewall ? Do yo have a static route from your LAN to the PIX-1 ?

If this is the case, then you have to do the following for testing traffic through PIX-2

put a route map on your LAN gateway which points a test subnet from which you want to send traffic to PIX-2

New Member

Re: 2 isp 2 PIX on same internal network?

PIX-1 inside 2x.2x.1x.17 /28 outside 2x.2x.1x.2 /28

PIX-2 inside 2x.2x.1x.28 /28 outside 2x.2x.1x.3 /28

PIX-1 handles all nets now. PIX-2 will handle some of those once I get traffic flowing. I took one network off PIX-1 and configured it on PIX-2 with

static (inside,outside) 2x.2x.123.0 2x.2x.123.0 netmask 255.255.255.128

route inside 2x.2x.123.0 255.255.255.128 2x.2x.1x.25

Trying to get traffic from 2x.2x.123.0 network failed. If I set up a linksys router with same IPs I can get traffic to pass no problem. However I must use PIX.

If I place the inside interface of PIX-2 in different network, 10.0.0.1 /24 I can get traffic to flow.

Thanks!

Re: 2 isp 2 PIX on same internal network?

Are you are saying that traffic from outside for the public IP 2x.2x.123.0 has to flow through the PIX2 ?

If this is the case, do you have a Router before the PIX to which your ISP is connected ?

On this router define a static route for the subnet 2x.2x.123.0 pointing it to the outside interface of the PIX-2.

You will be able to get inbound traffic for the above subnet via the PIX-2.

New Member

Re: 2 isp 2 PIX on same internal network?

yes, traffic from outside for the public IP 2x.2x.123.0 has to flow through the PIX2. I am assuming our service provider is now routing all to PIX-1 and once the 2nd circuit is installed will route networks accordingly.

There is no router on outside of either PIX, only service provider ONU. I think that is why it will not work is because they route everything to PIX-1. I will wait for 2nd circuit to be installed to test again. Thanks!

Re: 2 isp 2 PIX on same internal network?

Glad to hear that.

Please rate the post if this helped.

133
Views
3
Helpful
5
Replies