i have PIX with outside interface connected to ISP , behind the firewall (Web interface ) where i am hosting the company website and webmail , the two public IP are created in the PIX and natted through interface ( Web) to 192.168.1.x network . I would like to connect to a second ISP through second interface named ( IRP ) with completely different public IP network that I has at outside interface and keep my company reachable through both the interfaces until I completely move to the new ISP . I have configure the new (IRP ) interface and do the natting for the Web services , the problem now is that the request coming from the new ISP reach the server behind the PIX but the reply it seems to be back through the outside interface and do not back to requester . this may be because outside interface is the default route for internet . given that the request coming from ISP2 network got back successfully as I have a route to that network in the IRP interface . so how I can force the request coming from internet through IRP interface back to same interface instead of going through outside , I thought about policy natting but a don?t know how to correctly applied it .
"The Cisco Secure PIX Firewall is designed to handle only one default route. When you connect two ISPs to a single PIX, it means that the Firewall needs to make routing decisions at a much more intelligent level."
Even with policy NAT the PIX won't detect which ISP is down. You need the tracking option as I specified and this requires Ver 7.0.
Upgrading to ver 7.0 is not complicated it all. First you need to check your hardware requirements and then plan the upgrade. Below you can find a link to the upgrade process and what has been changed from ver 6.x to ver 7.x.
The firewall supports only one default route through outside for Internet, so route-map or policy routing has to be enabled on an external Interface i.e router or L3 Switch.
You can look at configuring the following option.
1. Enabling route-map on the core switch which will provide routes to the respective ISP.
2.If you have both the ISP link getting terminated on the same router enabling the route map on the router itself.
3. Natting the Ip address between ISP in the router.(possible but trouble shooting becomes complicated).
4. If you have two individual routers for both the ISP , you could run HSRP accross the router and have the firewall's default route to that of the Hsrp virtual address. Then add policy route in both the routers (based on source ip address) to route-traffic between the ISP.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...