A client has an internet connection that's currently secured with a PIX515E (3 FE's - outside, inside,dmz) but the IP address of the outside connection is dynamically assigned. They're currently host some servers using Dynamic DNS but that's not as good as having a static IP so they're considering getting a static IP DSL line in addition to the existing connection - just for the servers in the DMZ zone. I think their 515E can only have 3 interfaces so I'm going to tell them to get another firewall but I'm trying to figure out what to get and how to set it up exactly. I guess I could use the DMZ interface on the 515 for the DSL connection, then the inside connection would actually become the DMZ/inside - then I'd connect another firewall to it (w/o NAT - perhaps a 506E) to secure the internal LAN from the DMZ segment. Does this setup make any sense and would it be the most secure way to do it? If so, how would I go about setting up two default routes for outside access on the 515? I would want the server destined for the servers in the DMZ to go over the DSL line while the internal traffic should be routed through the dynamic connection.
Q. Can I connect two different ISPs to my Cisco Secure PIX Firewall (for load-balancing)?
A. No, you cannot load-balance on the PIX. The Cisco Secure PIX Firewall is designed to handle only one default route. When you connect two ISPs to a single PIX, it means that the Firewall needs to make routing decisions at a much more intelligent level. Instead, use a gateway router outside the PIX so that the PIX continues to send all of its traffic to one router. That router can then route/load-balance between the two ISPs. An alternative is to have two routers outside the PIX using Hot Standby Router Protocol (HSRP) and set the default gateway of the PIX to be the virtual HSRP address. Alternatively, (if possible) you can use Open Shortest Path First (OSPF) which supports load balancing among a maximum of three peers on a single interface.
I'm not really looking to load balance (even though it may be the same thing from the nuts and bolts point of view). I want to send traffic from few specific hosts over one line and the rest of the network over the other one. If that can't be accomplished, I'll just setup the DSL line on a new 506. In this case, I would like to setup two default routes for each user with the DSL line being the secondary (in case the primary line is down).
Hi .. If is not possible to set up a border router ( running BGP with your ISP and OSPF internally) tehn perhaps another option is placing a router in front of the firewall connected to both ISP.s. The router can use route maps to re-direct traffic comming from the DMZ server down the secundary link .. everything else will go out by the primary link. The only issue here is that you would have to make changes manually to the routing map in case one of the links goes down.
what you can do is get a hardware called Radware Link proof or Fatpipe. Have them connect two of the liks to that hardare then hang the pix 515E to the Radware or fatpipe. I have done this a millions times works fine at all the times
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...