Cisco Support Community

Firewall with dual ISP

Hello All,

My question is the next: I have a PIX 515E with 7.2 software and I have two ISPs connection, but now I use only one of them. I plan two use both ISPs' lines and one half of the traffic I route to the ISP A and other to ISP B (based on soiurce Private Address). How can I integrate both lines to the firewall? I have static default route to ISP A now.

I hope my question is clear.

Thanks your help.


Community Member

Re: Firewall with dual ISP


You cannot load-balance on the PIX. The Cisco Secure PIX Firewall is designed to handle only one default route. When you connect two ISPs to a single PIX, it means that the Firewall needs to make routing decisions at a much more intelligent level. Instead, use a gateway router outside the PIX so that the PIX continues to send all of its traffic to one router. That router can then route/load-balance between the two ISPs. An alternative is to have two routers outside the PIX using Hot Standby Router Protocol (HSRP) and set the default gateway of the PIX to be the virtual HSRP address. Alternatively, (if possible) you can use Open Shortest Path First (OSPF) which supports load balancing among a maximum of three peers on a single interface.

I hope this helps.

Re: Firewall with dual ISP

In v7.2:

Standby ISP Support

This feature allows you to configure a link standby ISP if the link to your primary ISP fails. It uses static routing and object tracking to determine the availability of the primary route and to activate the secondary route when the primary route fails.

For more information, see the " Configuring IP Routing and DHCP Services" chapter in the Cisco Security Appliance Command Line Configuration Guide.

CreatePlease to create content