Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1386
Views
0
Helpful
4
Replies

Dual ISP and PIX

lkhan
Level 1
Level 1

‎11-27-2001 06:34 AM - edited ‎02-20-2020 09:55 PM

We have Internet feeds from two isp's. Routers running BGP and two Pix 525s configured with statefull failover. I would like to use both the links for load balancing and not use hsrp. All the notes I have read point to placing a router in front of the firewall and behind the two Innternet routers. This obviously creates a single point of failure which we would like to avoid. To summarise, how do I get the firewall to use both links?

Thanks

0 Helpful
4 Replies 4

Bill CARTER
Level 5
Level 5

‎11-29-2001 11:03 AM

Configure HSRP on the two Internet routers. Connect a crossover between the 2 routers and Run IBGP between them. This has worked great for several of my customers.

0 Helpful

lkhan
Level 1
Level 1
In response to Bill CARTER

‎12-03-2001 01:44 AM

thanks for your reply. Could you please elaborate a bit more. Eack of my routers have single ethernet ports that connect to the lan segment with the firewall. Do I need another ethernet port? If I run HSRP will it not use the primary router for all outbound traffic? How does your soluation load balance?

0 Helpful

asafayan
Level 4
Level 4
In response to lkhan

‎12-03-2001 06:38 AM

I worked on this exact issue about 6 months ago. My memory is quickly fading, but I do know that you will not be able to get the PIXs to load balance unless you use a device like the CSS11000 in front of and behind the PIXs. Essentially, you have will be able to design redundancy, but not load-balancing.

We put one router with multiple ethernet interfaces between the PIXs and our 2 ISP routers. We performed policy routing based on the source address of our lan segment hosts. We had a class C, so we policy routed even IP address out of ISP router A and odd IP addresses out of ISP router B.

I was just as unimpressed that there were no specific examples of this type of configuration anywhere on CCO.

0 Helpful

thompson
Level 1
Level 1

‎12-03-2001 11:48 AM

You can use a load balancing switch/router to load balance the PIX firewalls and your border routers. I am running an identical environment using BIG IP 5000's from F5. You may not need application load balancing of that nature or price ($$$) Cisco Arrowpoint switches, Foundry, and Alteon all make these switches/routers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card