Dual PIX 515E's with two ISP's and no BGP with GRE/IPSEC Tunnels
Need a bit of help with a project I am working on. I am unsure of using the PIX with more than one default route. From what I have read in post it is not supported. Here are two ways I have envisioned this to work prior to the setup of BGP for the ISPA /24 subnet to route with both ISP's. Our network is 100% GRE/IPSEC VPN tunnels with EIGRP terminating in RTR3. RTR3 has a external address that is NATed by the PIX and using ESP to work with NAT. One tunnel will terminate in RTR2 for redundancy access to the LAN using ISPB. EIGRP exchanges routes so new traffic will go across the RTR2 VPN tunnel which has a lower bandwidth setting and if ISPA's link fails. Each Internet router has ACL's filtering all traffic except scpified and also runs CBAC. Instead of doing it this way, my thought is to put a another interface in the PIX and set a default router with a higher metric to go out ISPB router. This way hosts can still surf the net and if need to, I can have dull NAT entries in the PIX for the other ISPB /24 until BGP saves the day and this is not needed. My question is can the PIX have 2 default routes like this? If so, how will it detect the failure of the ISPA link if the ethernet side of RTR1 is still up? Also, the backup VPN tunnel will also need to be NATed via the PIX so will traffic exiting the PIX go out ISPB interface since it has a static NAT on that subnet? RTR3 and RTR2 will have a GRE/IPSEC tunnel endpoint of the same IP address so since the routing is based on destination, will the PIX say, I have a route to that subnet via ISPA link, your going out that way with a source address of NATed IP with ISPB /24 subnet? Guess what, ISPA has a inbound ACL filtering out traffic that transverse their network so that will break if so. The config is below. I have not configured BGP before and will have to do it alone so that is why the firewalls will go in first, then get BGP working later. Lots of questions I know and any help would be appreciated.
A much simpler design would be to deploy a single PIX (or the two units in a failover pair) and then multihome your network by connecting the permeter router to the two ISP's and NAT'ting while forwarding traffic into one of the ISP's. The router can easily be configured for such a setup.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...