We have Internet feeds from two isp's. Routers running BGP and two Pix 525s configured with statefull failover. I would like to use both the links for load balancing and not use hsrp. All the notes I have read point to placing a router in front of the firewall and behind the two Innternet routers. This obviously creates a single point of failure which we would like to avoid. To summarise, how do I get the firewall to use both links?
thanks for your reply. Could you please elaborate a bit more. Eack of my routers have single ethernet ports that connect to the lan segment with the firewall. Do I need another ethernet port? If I run HSRP will it not use the primary router for all outbound traffic? How does your soluation load balance?
I worked on this exact issue about 6 months ago. My memory is quickly fading, but I do know that you will not be able to get the PIXs to load balance unless you use a device like the CSS11000 in front of and behind the PIXs. Essentially, you have will be able to design redundancy, but not load-balancing.
We put one router with multiple ethernet interfaces between the PIXs and our 2 ISP routers. We performed policy routing based on the source address of our lan segment hosts. We had a class C, so we policy routed even IP address out of ISP router A and odd IP addresses out of ISP router B.
I was just as unimpressed that there were no specific examples of this type of configuration anywhere on CCO.
You can use a load balancing switch/router to load balance the PIX firewalls and your border routers. I am running an identical environment using BIG IP 5000's from F5. You may not need application load balancing of that nature or price ($$$) Cisco Arrowpoint switches, Foundry, and Alteon all make these switches/routers.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :