Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

I need help with second ISp and PIX firewall


I can't figure out this on my own, PLEASE HELP, Thank You

this is what i have now: ISP(1)->2611->PIX->LAN, RIP protocol.

here is sample config of 2611:

interface FastEthernet0/0

ip address <----ISP(1)

ip broadcast-address

interface Serial0/0

ip address

interface Serial0/2

ip address

router rip

redistribute connected

passive-interface FastEthernet0/0

distance 255

ip classless

ip route

ip route

PIX515 config is simple, it takes broadcasted IP's and redestribute them or maps then to static ip inside of LAN

Here is the question, how can i add second ISP: ISP(1)+ISP(2)->2611->PIX->LAN so i can have load sharing and use block of IP form ISP(2) on my PIX?

I know i can have in interface fastethernet0/0 ip address secondary, but can i have ip broadcast-address

Can the PIX have secondary IP, PIX only has one outside interface.

If Possible, NO BGP

Thank You


Re: I need help with second ISp and PIX firewall

You have a number of choices available to you, see the multihoming white paper on my web site for an overview. Whether or not you need to use BGP will depend upon what applications you are supporting and what your performance requirements are. If you are not using BGP, you have two challenges which you need to resolve: how to let ISP 1 know how to get traffic to you sent from your ISP 2 address (ditto for ISP2) and how to discover that the link to ISP1 is down so you (and ISP 1, don't forget traffic must go both ways to work) know to use the route via ISP 2 (and, of course, ditto for the link to ISP 2).

You also MUST add some protection to your router if you want to keep it under your control. In particular, turning off telnet, SNMP, and other vulnerable services, blocking illicit traffic from the Internet, etc. You would probably find Chapter 8 of my book interesting reading as well, although it may be too advanced. But it does include working examples of router security, BGP multihoming, and multihoming without BGP.

Good luck and have fun!

Vincent C Jones


Re: I need help with second ISp and PIX firewall

Just some notes:

1. PIX does not support secondary addressing.

2. You can use secondary IPs on the 2611 and I believe there's no issue

with the broadcast address of the secondary IP.

3. You can just add the NAT and global, or static entries on the PIX

for the addresses from ISP2.

So the remaining issue is load-sharing which was answered on the previous post.

Also, for your servers that support secondary addressing, you have the option of adding

the secondary address on the server and then create a static translation on the PIX.


CreatePlease to create content