Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Two Internet Connections - Possible?

Setup - PIX 515E w/6.3.5 - One internal network and two "external" networks

I've got one Cisco Router to our MCI networks on one outside interface and a Cable modem on the other outside interface. I want to route all site to site VPN traffic over the MCI connections and route all other traffic over the cable modem.

I've setup static routes to the remote VPN subnets external IP address which point to the Cisco router's IP address. I setup default to be the cable modem's IP address.

I have setup a PAT rule to go out over the Cable modem interface and a No-Nat rule for the VPN subnets.

Both outside interfaces have the security set to 0.

I figured this would work, but all traffic seems to be going out the cable modem or dropping. It is very hard to tell what is going on as traceroute doesn't work with site to site VPN. Can someone point me in the right direction with troubleshooting or if this is even possible? Thanks!

9 REPLIES
New Member

Re: Two Internet Connections - Possible?

Hi,

Could you please give me the output of the following commands:

1) show route

2) show nameif

3) make sure icmp (echo, reply) is allowed through, then give me the output of the "show icmp trace" command while sending pings to a private ip address on the other side of the tunnel from a host that sits behind your "inside" interface.

Thanks

Simon Laurin

Gold

Re: Two Internet Connections - Possible?

please post the entire config with public ip masked.

New Member

Re: Two Internet Connections - Possible?

Here is my config. Some crypto entries removed to shorten config. It really seems like the crypto engine is ignoring the routes. Other traffic routes to the correct interfaces fine.

New Member

Re: Two Internet Connections - Possible?

I've also noticed my crypto ACLs are not being hit anymore. This is from the sh crypto map command...

access-list CSM-crypto-acl-outside-12 line 1 permit ip 10.0.0.0 255.255.0.0 10.100.0.0 255.255.0.0 (hitcnt=0)

New Member

Re: Two Internet Connections - Possible?

Interesting...

I've added a route to 10.10.0.0 255.255.0.0 that points to my x.x.x.gw. Now that crypto ACL is being triggered and the ISAKMP engine is trying to establish that connection. However, the ISAKMP engine is STILL trying to use my cable modem to establish the SA. Very interesting and annoying!

New Member

Re: Two Internet Connections - Possible?

I still can't get this to work? Any help?

New Member

Re: Two Internet Connections - Possible?

I had a similar problem. My gateway router has one multilik bundle and a frame coming into it. The two WAN connections are from different providers. Initial plan was to route all internet bound traffic through the multilink and all site to site VPN through the frame.

I added routes on the router for all the peer IP's of the firewalls to go through the frame and default pointed to Multilink. I got the same results as you did.

I had to change the Outside if IP address to one that was provided by the multilink provider.

New Member

Re: Two Internet Connections - Possible?

Hi ! I have a 2 internet provider and a PIX 515 (7.04). I want to know if I can connect the 2 provider on my PIX ? Can I configure 2 defaults network ? My goal is to have 2 internet link for the outgoing traffic.

Thanks !

Re: Two Internet Connections - Possible?

hi

As per the release notes you can have 3 default routes configured in ur pix firewall.

do refer this for more info..

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008045247f.html#wp1047900

regds

146
Views
0
Helpful
9
Replies
CreatePlease login to create content