Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

one pix - two ISP

hello,

we have one PIX 535 6.2(2), one DMZ, one ISP and one internal network.

And we have a new requierement: to create a new DMZ and to permit acces to this DMZ through a new ISP that will be attached to "other" external interface of the PIX. So, the final diagram will look like this:

outside interface 1 --> ISP1

outside interface 2 --> ISP2

inside interface --> inside network

dmz interface 1 -- > DMZ network 1

dmz interface 2 -- > DMZ network 2

We have had problems making this configuration to work.

the pix can't ping past the directly attached interface of the router of the ISP2.

we haven't tried to "static" any server in this new DMZ because we can't even make icmp packets pass the router of the second ISP.

We attached a temporarly firewall (a microsoft ISA server) between this new DMZ and this new ISP and it worked well, so any problem in the router of the ISP2 is discarded... but this solution is temporary and we would like to use the pix for this.

this is the configuration:

: Saved

:

PIX Version 6.2(2)

nameif gb-ethernet0 outside security0

nameif gb-ethernet1 inside security100

nameif gb-ethernet2 Failover_fw security55

nameif ethernet0 dmz1 security50

nameif ethernet1 dmz2 security30

nameif ethernet2 outside2 security25

names

object-group network SERVERS(noaptos)

network-object host 216.15.255.131

object-group network COMPAS

network-object host 11.254.13.59

object-group network SECODAM

network-object host 200.34.175.249

object-group service APS-SECODAM tcp-udp

port-object eq 80

port-object eq 433

port-object eq 9001

port-object eq 9002

access-list IN deny udp any any eq netbios-ns

access-list IN permit ip any 71.10.23.0 255.255.255.0

access-list IN permit tcp any object-group SECODAM object-group APS-SECODAM

access-list IN permit ip object-group COMPAS any

access-list IN deny ip any object-group XXXSERVERS

access-list IN deny tcp any any eq 1863

access-list IN permit ip host 11.254.14.42 192.168.100.0 255.255.255.0

access-list IN permit tcp any any eq 9090

access-list IN permit tcp any any range 8000 8100

access-list IN permit tcp host 11.254.12.234 any eq smtp

access-list IN deny tcp any any eq smtp

access-list IN permit tcp any any eq 3389

access-list no_nat permit ip any 192.168.100.0 255.255.255.0

access-list OUT permit tcp any host 200.XX.XX.4 eq www

access-list OUT permit tcp any host 200.XX.XX.4 eq https

access-list OUT permit tcp any host 200.XX.XX.6 eq www

access-list OUT permit tcp any host 200.XX.XX.7 eq www

access-list OUT permit tcp any host 200.XX.XX.8 eq www

access-list OUT permit tcp any host 200.XX.XX.9 eq smtp

access-list OUT permit tcp any host 200.XX.XX.10 eq 8080

access-list OUT permit tcp any host 200.XX.XX.10 eq www

access-list OUT permit tcp any host 200.XX.XX.11 eq www

access-list OUT permit tcp any host 200.XX.XX.12 eq www

access-list OUT permit tcp any host 200.XX.XX.12 eq 5100

access-list OUT permit tcp any host 200.XX.XX.20 eq domain

access-list OUT permit udp any host 200.XX.XX.20 eq domain

access-list OUT permit icmp any any

access-list DMZ permit tcp any host 11.254.12.21 eq domain

access-list DMZ permit udp any host 11.254.12.21 eq domain

access-list DMZ permit ip any host 11.254.12.36

access-list DMZ permit tcp host 71.10.23.10 11.0.0.0 255.0.0.0 eq 1525

access-list DMZ permit tcp host 71.10.23.34 host 11.254.12.234 eq smtp

access-list OUT2 permit icmp any any

interface gb-ethernet0 1000auto

interface gb-ethernet1 1000auto

interface gb-ethernet2 1000auto

interface ethernet0 100full

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu Failover_fw 1500

mtu dmz 1500

mtu secodam_inside 1500

mtu secodam_outside 1500

ip address outside 200.XX.XX.15 255.255.255.0

ip address inside 11.254.12.67 255.255.255.0

ip address Failover_fw 72.10.24.30 255.255.255.0

ip address dmz 71.10.23.99 255.255.255.0

ip address dmz2 11.254.14.241 255.255.255.0

ip address outside2 207.YY.YY.1 255.255.255.0

ip local pool pptp-pool 192.168.100.1-192.168.100.5

arp timeout 14400

global (outside) 1 200.XX.XX.21-200.XX.XX.27

global (outside2) 2 207.YY.YY.2

nat (inside) 0 access-list no_nat

nat (inside) 2 11.254.14.20 255.255.255.255 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

alias (dmz) 71.10.23.34 200.34.143.10 255.255.255.255

static (dmz,outside) 200.XX.XX.6 71.10.23.11 netmask 255.255.255.255 0 0

static (dmz,outside) 200.XX.XX.7 71.10.23.25 netmask 255.255.255.255 0 0

static (dmz,outside) 200.XX.XX.8 71.10.23.13 netmask 255.255.255.255 0 0

static (dmz,outside) 200.XX.XX.12 71.10.23.35 netmask 255.255.255.255 0 0

access-group OUT in interface outside

access-group IN in interface inside

access-group DMZ in interface dmz

access-group OUT2 in interface outside2

route outside 0.0.0.0 0.0.0.0 200.34.143.254 1

route inside 10.0.0.0 255.0.0.0 11.254.12.254 1

route inside 11.0.0.0 255.0.0.0 11.254.12.254 1

: end

any clues? is ths configuration even possible?

thank you in davance!

3 REPLIES
New Member

Re: one pix - two ISP

Hi -

Ahh, if only it were that easy... The problem is the 'route outside 0.0.0.0 0.0.0.0'. Your PIX's default gateway is set to ISP A. If you could add a second default route on the PIX, you could set it to ISP B. Unfortunately, you can't do that.

What you might try is setting the route to the network that needs to get to your DMZ... For example, if Company B (at 7.7.7.7) is trying to get to your new DMZ, add a route like this: route outside2 7.7.7.0/24 207.YY.YY.2 (or whatever ISP B's router is)...

This might just do the trick...

New Member

Re: one pix - two ISP

As posted by the previous specialist, you cannot have 2 default gateways. This is for sure. Don't invest no more time to try this, it can't works. You should searche for another solution. As suggested by the previous answer, you can configure manually static route to reach some networks through the outside2 interface. If, it's not a feasible solution, you must try the last alternative, send all traffic through outside1 up to a single router, or dual with HSRP, who can manage both ISP connections.

Hope this help

Ben

New Member

Re: one pix - two ISP

PIX 6.3 support OSPF with equal cost load balancing, if you can make your ISP running OSPF to inject default route to your PIX, you may able to have two default route in PIX.

Or try send all destination traffic with odd network number to one ISP and the even network number to another ISP. Something like

route outside 0.0.1.0 0.0.1.0 x.x.x.x

route outside 0.0.0.0 0.0.1.0 x.x.x.x

I am not sure whether it will work or not as I haven't try it. Just my suggestion.

202
Views
0
Helpful
3
Replies