I have a customer that has two isp connections and is looking for bi-directional redudancy. (Inbound and outbound). Currenly have a Cisco Pix 7 with 6 interfaces total. I have used devices in the past from Fatpipe and Linkproof that provide this functionality. However, it is not an option here because of price concerns.
The customer does not want to run bgp between providers. They currently have only a couple of internet accessble devices that they have. they have accepted the fact that these sites in case of failure will be down until DNS records are adjusted (web-site for instance). Another requirement is to terminate a handfull of vpn's as well.
What would be the best way to handle this scenario:
1) Introduce a cisco router and terminate both isp's on the router (both are ethernet hand offs).
2) configure the pix using subinterfaces and multiple contexts (probably can not do this because of lack of vpn support for multiple contexts.
3) there will be a dmz interface that has the inet accessible devices. Can these devices have multiple nat's in different contexts. ( ie. isp1 - nat 10.10.10.1 - 66.1252.231.1 and isp2 - nat 10.10.10.1 - 220.127.116.11)
Thanks for a detailed explanation. Below are few points i would like to mention:
1) If you hook one isp on say pix outside interface and the other isp on say dmz interface of pix but due to the fact that pix can have only one default route with same metric hence, the traffic would always be routed out through one of the route with least metric figure. This only holds good as a backup link. In such case, you would have default route as follows:
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route dmz 0.0.0.0 0.0.0.0 y.y.y.y 2
so incase if the first isp (x.x.x.x) goes down, the traffic would start flowing through the second isp (y.y.y.y).
NOTE: Pix should see a line protocol down on its outside interface to start routing traffic form dmz.
This scenario would not accomplish your goal.
2) You are correct, when we configure pix for transparent firewalling, it starts acting like a dumb hub with an additional functionality of supporting access lists to control flow of traffic and loses its precious features like vpn as mentioned by you. This feature was introduced in pix so that you do not have to redesign you ip addressing scheme while introducing pix in your production network. This again would not be a suitable solution in your case.
Such kind of topology would fix your issue:
Here, you need to make sure that you pix gateway is Router running ospf process and doing the redundancy.
If I am understanding correctly. We would have to introduce a router that connects isp1, isp2 and the pix. We would have to be running ospf between these devices. From a pix perspective connecting to the router, what ip address information will that need to have. It looks like it will need to be an RFC1918 address? If isp1 goes down and a user need to connect to the webserver on the dmz. The firewall will have to have two nats one from isp1 and isp2? Is this possible?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...