cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
687
Views
0
Helpful
10
Replies

One PIX, two ISP's, two statics for host

dkorell
Level 1
Level 1

I have hooked up a second ISP to my PIX. One ISP will handle all outbound web access and VPN (default route). The other will handle specific traffic to several companies (individual routes).

I have some internal hosts that have statics assigned to the ISP that will handle specific traffic. But, at times they may need to get to the web which is routed out the other ISP.

I talked to Cisco about have two statics for an internal host and they said I would have problems. I've tested this though and appears to be routing out each ISP correctly.

Anyone doing someone similar and are there issues I'm not aware of yet?

10 Replies 10

scoclayton
Level 7
Level 7

Hi,

I am a little confused. Routes are based on destinations rather than sources. So, I am trying to figure out what you mean when you say you have "some internal hosts that have statics assigned to the ISP that will handle specific traffic." Are you referring to the default gateway for the internal hosts? I would assume this would be the inside interface of the PIX. Once the packets reach the PIX, the PIX determines which next hop to use (based on the destination) to route the packets to the destination. Can you elaborate a bit more on this if possible? Sorry for not understanding.

Scott

No problem. Let's say I have an internal server of 10.1.1.5. On the PIX, before having two ISP's, It had a static NAT IP of 20.1.1.5. The default outside route went to 20.1.1.1.

Now I add the second ISP and the default route is now changed to 30.1.1.1. In order to get the internal host to let's say 40.1.1.1 through ISP1, I put a static route saying all traffic going to 40.1.1.1, go out ISP1. Everything else by default, is going to go out ISP2.

But, that host needs a routeable IP address for both ISP's to do this. So, in addition to giving it a static NAT IP of 20.1.1.5 so it can go out ISP1 and return, I give it a second static NAT IP of 30.1.1.5 so it can route correctly out ISP2 and return.

I have done this and it routes our the default correctly and out a static route correctly. This has only been done for one test host and before switching everything over to ISP2, I want to make sure there are no surpises.

Hope that helps more.

OK, still a little confused so let me see if I can figure this out. Are you saying that you created 2 static translations on the PIX for the 10.1.1.5 host? For instance,

static (inside, outside) 20.1.1.5 10.1.1.5 netmask 255.255.255.255

static (inside, outside) 30.1.1.5 10.1.1.5 netmask 255.255.255.255

If so, this is NOT a valid config. Think about it this way, when 10.1.1.5 sends a packet, which address is the PIX going to translate the packet to? 20.1.1.5 or 30.1.1.5. Trust me, seen it 1,000,000 times and it is not going to work. Or, am I missing the point? Or some other detail?

Scott

That is correct. I currently have a PC setup with two static NAT IP's. One on ISP1's range and the other on ISP2's range. Default routing is currently going out ISP1. I then setup a static route for 206.204.10.5 (securityfocus.com) and tell it to go out ISP2's connection.

I can do a traceroute to yahoo.com and it goes out ISP1 and the PC shows up in Xlate with the ISP1 range IP. I then do a tracertoute to securityfocus.com and it goes out ISP2 and the PC then shows up in Xlate with the ISP2 range IP. I can browse to both sites as well.

I then remove the static route and when I go to securityfocus.com, it then goes back over ISP1.

How it works, beats me. The only thing I could think of is it's looking up which route it needs to go out and picks the static NAT IP from the same range as the destination router in that route.

Interesting huh?

Quite...but I still think you are seeing something else. Not quite sure what that might be but you may want to dig into this a bit more. The PIX is going to use the first xlate it has for the translation. Or in other words, the the first static in the config is always going to win out. I think you might be giving the PIX a bit more credit than it deserves with your theory above ;)

Good luck!

Scott

I was able to find the following from a PIX Firewall FAQ page:

Q. Can I map a single, inside address to more than one outside address?

The Cisco Secure PIX Firewall only allows a single one-to-one translation for a local (inside) host. If you have more than two interfaces on the Cisco Secure PIX Firewall, you can translate a local address to different addresses on each respective interface but only one translation per interface is allowed for each address. Likewise, you cannot do a static mapping of a single outside address to multiple local addresses.

So according to this, a local address can have different IP's on each ISP range. Just thought I would pass it on.

Right, but the key here is the "you can translate a local address to different addresses on each respective interface but only one translation per interface is allowed for each address" part. So the following statics are not vaild:

static (inside, outside) 20.1.1.5 10.1.1.5 netmask 255.255.255.255

static (inside, outside) 30.1.1.5 10.1.1.5 netmask 255.255.255.255

but these would be:

static (inside, outside) 20.1.1.5 10.1.1.5 netmask 255.255.255.255

static (inside, intf2) 30.1.1.5 10.1.1.5 netmask 255.255.255.255

**Note the interface change in the second static. Is this what you are doing? If so, I apologize for mis-understanding as this would be fine. But if both global addresses are on the same interface, your config would not be valid.

Scott

I'm doing the second set of static commands:

static (inside, ISP1) 20.1.1.5 10.1.1.5 netmask 255.255.255.255

static (inside, ISP2) 30.1.1.5 10.1.1.5 netmask 255.255.255.255

I should have explained what I was doing a little better with commands. As for the first scenario, I don't think the PIX will even let you do this anymore. I remember back in the 4.x or 5.x days you could have two outside addresses assigned to a single inside address but when upgrading to the next major version, it errored when updating.

Do you know the flow of how it knows which IP to use when going out either ISP1 or ISP2? I am guessing that it's being routed and using the IP address from the range of the next hop.

Ahhhh, that makes a lot more sense. I have been banging my head trying to figure out how you had this working. And I think you are probably correct on the "PIX CLI not even allowing the command."

As for the flow, the PIX first looks to see if a xlate exists for the destination address. Since one most likely doesn't exist (unless you are doing outside NAT), routing takes place next. The packet is moved to the destination interface and the PIX then checks for NAT commands (nat/global, static, etc...).

Whew...glad we worked through this ;) Have a good weekend.

Scott

Thanks for the help. I think I'll move forward with this next week and see what happens. I met with a Cisco security guru today and he was drawing out a way to get my two ISP's to talk to each other using BGP and insert it into OSPF on the PIX. I can then get the benefit of routing in certain directions but also get failover and load balancing. This is new to me but sounds like a good solution.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: