Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Pix and Loadbalancing

Hello all

My ISP provide me with 2 links for redundancy and load balancing purposes.

The subnet is broken in two parts, let's say and

From Internet side each subnet is announced using BGP to ISP routers GW1 and GW2.

Each router is a one of the subnet "prefered path" for load balancing, both being announced at each.

Between the ISP and my PIX I have a pair of routers with HSRP on LAN side.

It suits my purpose as long as I can directly split my subnet.

But I have a situation where in front of my subnets I have a PIX.

The public IP and will be NATed to, say, and (internal)

As far as I know, PIX have only a gateway address.

And being a Layer 3 device it will spoil my HSRP balancing trick anyway.

I guess that with that setup I will only have incoming load balancing.

But the traffic I really need to balance is the egress traffic to the Internet web users !

For instance I want to make sure that the hosts will use the GW1 link and the other one.

Whilst keeping the redundancy...

It is critical for me that a host in will not compete for the bandwidth with one in

The only thing I can think of is using OSPF. But I feel uneasy to put it on a FW.

How safe is it ?

Is there any good tutorial about using OSPF for load balancing, especially on PIX device ?

Is there any other options ?

Any help greatly appreciated as I didn't found anything usefull so far...



Re: Pix and Loadbalancing

If you have a remote-access configuration in which you are using two or more security appliances or VPN Concentrators connected on the same network to handle remote sessions, you can configure these devices to share their session load. This feature is called load balancing.

Community Member

Re: Pix and Loadbalancing

That's not what I mean.

In my current setup the ISP provides me with a single subnet. Which means a uniq gateway.

But the ISP is taking care to load balance the upstream as well as the downstream to my webservers.

The new ISP is splitting the subnet into 2 subnets. One arriving at each router. The downstream is obviously splitted.

Now I have my webservers behind a PIX.

The PIX have only one gateway. Which implies that the upstream will go only to a router.

That wastes half of the bandwidth, precisely in the direction the most needed.

Thus my question : how to balance the upstream from the PIX to the ISP's routers ?

I am looking for a configuration example.

Thanks for your help !


Re: Pix and Loadbalancing

I don't think it can done with Pix firewall.

However, if you run Checkpoint firewall on

Nokia IP appliances, Nokia IPSO can take care

of the egress load-sharing by splitting

the traffics. Nokia IPSO allows you to enter

multiple default gateways and use either

source, destination, or source/destination

hashing algorithm to calculate the load.

This can be done very easily within IPSO by

a couple of click via Voyager.

You can verify the egress traffics are load

balance by running tcpdump with the "-e"

option. You will see different gateway MAC addresses for outbound traffics.

different for out

Community Member

Re: Pix and Loadbalancing

Hi !

I know : I have some Nokia/CP appliances myself.

Sometimes I dream to have the best of both world : Checkpoint + Pix ...

But I really feel that something can be done with OSPF on PIXes. That's why I ask for help in Cisco forum...


CreatePlease to create content