Cisco Support Community
Community Member

Two internent lines, two firewalls

A client has an internet connection that's currently secured with a PIX515E (3 FE's - outside, inside,dmz) but the IP address of the outside connection is dynamically assigned. They're currently host some servers using Dynamic DNS but that's not as good as having a static IP so they're considering getting a static IP DSL line in addition to the existing connection - just for the servers in the DMZ zone. I think their 515E can only have 3 interfaces so I'm going to tell them to get another firewall but I'm trying to figure out what to get and how to set it up exactly. I guess I could use the DMZ interface on the 515 for the DSL connection, then the inside connection would actually become the DMZ/inside - then I'd connect another firewall to it (w/o NAT - perhaps a 506E) to secure the internal LAN from the DMZ segment. Does this setup make any sense and would it be the most secure way to do it? If so, how would I go about setting up two default routes for outside access on the 515? I would want the server destined for the servers in the DMZ to go over the DSL line while the internal traffic should be routed through the dynamic connection.


Cisco Employee

Re: Two internent lines, two firewalls

Hello ph0enix,

What type of license do you have on the Pix 515E? Restricted license supports 3 physical interfaces and 10 logical, but UR supports 6 physical interfaces and 25 logical.

That may affect your decision. Also please read this from

Q. Can I connect two different ISPs to my Cisco Secure PIX Firewall (for load-balancing)?

A. No, you cannot load-balance on the PIX. The Cisco Secure PIX Firewall is designed to handle only one default route. When you connect two ISPs to a single PIX, it means that the Firewall needs to make routing decisions at a much more intelligent level. Instead, use a gateway router outside the PIX so that the PIX continues to send all of its traffic to one router. That router can then route/load-balance between the two ISPs. An alternative is to have two routers outside the PIX using Hot Standby Router Protocol (HSRP) and set the default gateway of the PIX to be the virtual HSRP address. Alternatively, (if possible) you can use Open Shortest Path First (OSPF) which supports load balancing among a maximum of three peers on a single interface.

Hope this helps! If so, please rate.


Community Member

Re: Two internent lines, two firewalls


It's the restricted license (3/10).

I'm not really looking to load balance (even though it may be the same thing from the nuts and bolts point of view). I want to send traffic from few specific hosts over one line and the rest of the network over the other one. If that can't be accomplished, I'll just setup the DSL line on a new 506. In this case, I would like to setup two default routes for each user with the DSL line being the secondary (in case the primary line is down).

Re: Two internent lines, two firewalls

Hi .. If is not possible to set up a border router ( running BGP with your ISP and OSPF internally) tehn perhaps another option is placing a router in front of the firewall connected to both ISP.s. The router can use route maps to re-direct traffic comming from the DMZ server down the secundary link .. everything else will go out by the primary link. The only issue here is that you would have to make changes manually to the routing map in case one of the links goes down.

Community Member

Re: Two internent lines, two firewalls

I do this with the PIX. It is not an auto failover situation, but you can use two ISPs using PIX 6.x code by specifying 2 default routes, like this:

route outside 0 0 1

route isp2 0 0 2

Doing this allows traffic originating from ISP 1 or 2 to connect to the PIX and session state to be established, allowing the PIX to reply through the appropriate ISP.

This will not work well for UDP traffic and not at all for ICMP traffic.

To regulate outbound connections, unfortunately you will have to enter static routes with a metric of 1 for each destination that you would rather reach over ISP2.

Hope that helps.

Community Member

Re: Two internent lines, two firewalls

what you can do is get a hardware called Radware Link proof or Fatpipe. Have them connect two of the liks to that hardare then hang the pix 515E to the Radware or fatpipe. I have done this a millions times works fine at all the times

CreatePlease to create content