Re: Two Internet Connections - Possible?

gtate · ‎12-19-2005

Setup - PIX 515E w/6.3.5 - One internal network and two "external" networks

I've got one Cisco Router to our MCI networks on one outside interface and a Cable modem on the other outside interface. I want to route all site to site VPN traffic over the MCI connections and route all other traffic over the cable modem.

I've setup static routes to the remote VPN subnets external IP address which point to the Cisco router's IP address. I setup default to be the cable modem's IP address.

I have setup a PAT rule to go out over the Cable modem interface and a No-Nat rule for the VPN subnets.

Both outside interfaces have the security set to 0.

I figured this would work, but all traffic seems to be going out the cable modem or dropping. It is very hard to tell what is going on as traceroute doesn't work with site to site VPN. Can someone point me in the right direction with troubleshooting or if this is even possible? Thanks!

slaurin · ‎12-21-2005

Hi,

Could you please give me the output of the following commands:

1) show route

2) show nameif

3) make sure icmp (echo, reply) is allowed through, then give me the output of the "show icmp trace" command while sending pings to a private ip address on the other side of the tunnel from a host that sits behind your "inside" interface.

Thanks

Simon Laurin

jackko · ‎12-21-2005

please post the entire config with public ip masked.

gtate · ‎12-27-2005

Here is my config. Some crypto entries removed to shorten config. It really seems like the crypto engine is ignoring the routes. Other traffic routes to the correct interfaces fine.

gtate · ‎12-27-2005

I've also noticed my crypto ACLs are not being hit anymore. This is from the sh crypto map command...

access-list CSM-crypto-acl-outside-12 line 1 permit ip 10.0.0.0 255.255.0.0 10.100.0.0 255.255.0.0 (hitcnt=0)

gtate · ‎12-27-2005

Interesting...

I've added a route to 10.10.0.0 255.255.0.0 that points to my x.x.x.gw. Now that crypto ACL is being triggered and the ISAKMP engine is trying to establish that connection. However, the ISAKMP engine is STILL trying to use my cable modem to establish the SA. Very interesting and annoying!

gtate · ‎01-05-2006

I still can't get this to work? Any help?

robzamani · ‎01-23-2006

I had a similar problem. My gateway router has one multilik bundle and a frame coming into it. The two WAN connections are from different providers. Initial plan was to route all internet bound traffic through the multilink and all site to site VPN through the frame.

I added routes on the router for all the peer IP's of the firewalls to go through the frame and default pointed to Multilink. I got the same results as you did.

I had to change the Outside if IP address to one that was provided by the multilink provider.

francis.labelle · ‎01-23-2006

Hi ! I have a 2 internet provider and a PIX 515 (7.04). I want to know if I can connect the 2 provider on my PIX ? Can I configure 2 defaults network ? My goal is to have 2 internet link for the outgoing traffic.

Thanks !

spremkumar · ‎01-24-2006

hi

As per the release notes you can have 3 default routes configured in ur pix firewall.

do refer this for more info..

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008045247f.html#wp1047900

regds