Hello - I have a PIX 515 in which I have a T1 line that I use for my internet access. I just added a new line and here is what I want to do:
Take the internet traffic off the old line (a.a.a.a) and put it to the new line (b.b.b.b).
Use the old line as a failover for the new.
Now I thought it was as easy as this:
route outside 0.0.0.0 0.0.0.0 b.b.b.b 1
route outside 0.0.0.0 0.0.0.0 a.a.a.a 2
Thinking the high metric for new line would work unless it was down, and then traffic would go out the old line again.
I am a noob with PIX, so let me know what I am doing wrong.
Is the pix outside interface plugged into a router with both t1s? If so check its defualt gateway, make sure its priority is b.b.b.b also. If its a switch the same principle applies.
If you are using a different interface for the t1, make sure you use it and not outside ex: route newinterface 0.0.0.0 0.0.0.0 b.b.b.b 1
Thanks - Both lines are plugged directly into the pix, and our router just has a default route pointing to the inside interface of the pix (ex. ip route 0.0.0.0 0.0.0.0 192.168.2.2) And sorry - having the word "outside" in both those lines was a typo on my part!
Your default route (on router) should be to your ISP
ex. ip route 0.0.0.0 0.0.0.0 b.b.b.b 1
If the interface connecting from to your pix is private, just put your networks pointing to that interface on the pix.
ex. ip route 172.16.0.0 255.255.0.0 192.168.2.2
ip route 192.168.0.0 255.255.0.0 192.168.2.2
I hope you get the idea.... Make the routes going to your pix more specific.
Then on the pix make sure your default route is pointing to the correct interface. Like in the previous post. And make sure you have an NAT statement going out that interface. You can use the same one that you had going out your outside. (make the new interface looks almost the same as the outside interface)
Sure - yes, the line is a Verizon fios fiber optic line (15Mbs) comes into a dlink router which then plugs into ethernet5 on the pix. From the pix I can ping the provider, but can't ping the provider from anywhere behind the pix, hence, I can't get the web traffic to use that link.
Ok - I am going to back up and start from scratch here - I think I may have not explained this very well. I have:
1 T1 (A.A.A.A) terminated at a 1721 then plugged into ethernet0 (if_name outside). Works fine.
1 new Veriszon 15Mb fios fiber optic line (B.B.B.B) terminated at a DLink router then plugged into ethernet3 on the pix (if_name Internet).
I want to be able to use the fiber optic line (B.B.B.B) for internet traffic while keeping the T1 (A.A.A.A) as a standby in case the fiber optic line goes down
My problem is no matter what I try I can't get traffic to flow over the fiber optic line. I know it's working because I can connect directly to the fiber optic line and get out to the net. I am attaching the config for my pix. Take a look and let me know what I need to do to get this to work. Thanks!
you need a global statement for the internet interface and track statements so
global (internet) B.B.B.B netmask 255.255.255.255
route internet 0.0.0.0 0.0.0.0 B.B.B.B 1 track (your dlinks gateway)
route outside 0.0.0.0 0.0.0.0 A.A.A.A 5
you need to make sure your internet route has the track statement, when it goes down, it will use the outside interface.
Jake thanks , I really appreciate your patience. So just so I have this straight - right now I have
b.b.b.1 - Verizon side router - their end
b.b.b.3 - Dlink router - my end
b.b.b.4 - Internet interface on my pix.
b.b.b.5-b.b.b.6 - open for me to use.
should my config, based on what you said look like this?
global (internet) B.B.B.1 netmask 255.255.255.255
route internet 0.0.0.0 0.0.0.0 B.B.B.3 1 track
global (internet) B.B.B.6 netmask 255.255.255.255
route internet 0.0.0.0 0.0.0.0 B.B.B.3 1 track 1
track 1 rtr 10 reachability
I frogot that last line... its been awhile since i used the track statement
Ok - still not working when I do that but I think I see why. I cannot ping from b.b.b.4 to b.b.b.3 even though I have a cable going from one to the other on the other side of the room, green lights on both ends and an up/up on the interface on the pix. Whats missing here?
Also - the 'track' command is an unknown on my pix - is that a later version command?
Yeah track is on a later version, not really an issue.
route outside 0.0.0.0 0.0.0.0 A.A.A.A 10
route internet 0.0.0.0 0.0.0.0 B.B.B.B 1
The INternet_acl looks to be in error. its going to network A and needs to be B.
Might want to take off the "access-group Internet_acl in interface Internet" just to test.
Also once you change the routes, go to www.network-tools.com and see what your IP is.
Ugh - if wasn't bald I'd be pulling my hair out. Tried the above, still no go. It's got to be something simple that I am missing. Now, can I tell the pix to only use that link for http/https traffic and everthing else continue to use the old link? Would that make this easier? I still have to figure out why I can't ping the dlink from the pix.
Did I already tell you I appreciate the help?
It would not be eaiser to send all www traffic out one interface.
Try this for pings
access-list Internet_acl extended permit icmp any any echo-reply
access-list Internet_acl extended permit icmp any any time-exceeded
access-list Internet_acl extended permit icmp any any unreachable
have you done a clear xlate ? That might be all it is. Also please post an updated config.
Have you tried to ping past the router from your desk.
then trace to it and make sure its going out your outside ip address. Alos go to www.network-tools.com and verify the IP. I need know that result. It looks like everything is there.
I had a continuous ping going to google while I made the change and it dropped as soon as I added the route Internet 0.0.0.0 0.0.0.0 b.b.b.3 1 command. I had to revert to the original config and have to refrain from testing here for a while - the office is getting ticked off at me. I will tackle this again tonight. I am thinking a restart of the dlink and pix.
One solution is to upgrade to version 7.
Then follow the instruction in the link below for backup isp.