Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Routing through PIX firewall

Hi everybody,

I have a situation:

1. We have 2 Internet connections, to 2 different ISPs, located in different locations, interconnected by fiber.

2. Both Internet connections protected by PIX firewalls. Inside interfaces are located in different subnets.

3. All routing is performed by one core router (Cisco 6500). EIGRP is used for internal routing.

I want to have "redundancy" implemented without using BGP at ISP's routers. What I want to do:

1. Enable routing protocol (EIGRP or OSPF) at Internet routers to monitor Internet connection.

2. If Internet connection goes down, send routing update to core router (behind firewall) to switch users inside to another ISP.

How it's better to do? I see 2 ways:

1. Let ISP routers send RIP updates to PIX, and let PIX send RIP routing updates to core router. Then redistribute RIP to EIGRP and switch "default network".

2. Allow EIGRP (or OSPF) traffic between ISP router and Core router.

Does anybody have similar experience or what's recomended in this case. In all scenarios with redundancy routers are connected directly, but we have PIX firewalls between them.


Michael Shavrov


Re: Routing through PIX firewall

The easiest way to do the job, given that all you want is the ability to switch between which ISP inside users will use for their Internet access, is to run BGP from the 6500 to each of your ISPs. The only "trick" is to get the two ISPs to agree to the same "private" ASN for you to use. No need to get a real ASN (they cost money) and you only need to accept a default route from each, so no memory limitations.

There is no problem running BGP through a PIX, and if you handle it correctly, even your security people will probably agree there is negligible reduction in security. See the "Redundant Firewall" whitepaper on my web site for what ports to open and how to use BGP through a NAT box.

You would actually be better off with a router at each site doing the BGP (and that way, you could even work with ISP specific private ASNs. The trick is to make sure that as long as both ISP links are up, all users will always use a specific ISP and never change unless there is a failure. Every time a user switches ISPs, all connections will be broken and need to be reestablished. Not a problem when surfing (just hit the refresh button), but could be painful if it happens in the middle of a big file download or during a movie or if using a VPN or other persistent connection.

Good luck and have fun!

Vincent C Jones

CreatePlease to create content