Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco PIX 525 and Multiple Outside Interfaces

Hello, I was wondering if someone can help, I am fairly new to PIX's but have been using firewalls for a long time so please bear with me.

We are in the process of integrating a new ISP into out infrastructure, During this there will be a period of time where the both WAN links are active to allow a cross over for our external services. I would like to know how to have two active outside interfaces to allow us to migrate our customers from one service to another without taking the Old Link down.

Thanks

Everyone's tags (4)
10 REPLIES
Hall of Fame Super Gold

Re: Cisco PIX 525 and Multiple Outside Interfaces

I have found that the ASA, sw 8.2.3 is unable to use two default routes (with NAT), as opposed to a router that is able to.

Perhaps by manipulating the nat statements carefully, but certainly is not a strightforward process.

New Member

Re: Cisco PIX 525 and Multiple Outside Interfaces

I am happy to keep the defualt route on the old link until it is turned off, then change the defualt route. I just want to allow people in via the new link so we can get customers to test the service before we cease the old lines

Hall of Fame Super Gold

Re: Cisco PIX 525 and Multiple Outside Interfaces

Yes, once you switch the default route and everything will be switched, not a problem.

New Member

Re: Cisco PIX 525 and Multiple Outside Interfaces

Does this mean I can have to interfaces named outside1 and outside2 set to a security level of 0

Hall of Fame Super Gold

Re: Cisco PIX 525 and Multiple Outside Interfaces

Yes.

Please remember to rate useful posts clicking on the stars below.

Cisco Employee

Re: Cisco PIX 525 and Multiple Outside Interfaces

Hello,

If you have two ISP connections and you would like to use both of them until

they are active, you can certainly do that. Normally, the firewall allows

only one default route and the other one need to be used as a backup route.

However, through a workaround, you could send a specific traffic type

through the other link. Also, if you just want to test, you can add specific

route statements on the pix sending traffic destined to specific

hosts/network through the second link. Check the following examples:

If you would like to send traffic destined to specific host/network via second link:
--------------------------------------------------------
global (outside2) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0
route outside2 64.1.1.0 255.255.255.0 route outside2 100.1.1.1 255.255.255.255


If you would like to use the second ISP as a backup link:
--------------------------------------------------------

global (outside2) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 1 track 1 route outside2 0.0.0.0 0.0.0.0 254

sla monitor 123
type echo protocol ipIcmpEcho interface outside  num-packets 3  frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

If you would like to send specific traffic type via second link:
-----------------------------------------------------------

route outside 0.0.0.0 0.0.0.0 1 route outside2 0.0.0.0 0.0.0.0 254

static (outside2,inside) tcp 0.0.0.0 80 0.0.0.0 80 netmask 0.0.0.0

global (outside2) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Hope this helps.

Regards,

NT

Re: Cisco PIX 525 and Multiple Outside Interfaces

Nagaraja Thanthry your post were informative
Cisco Employee

Re: Cisco PIX 525 and Multiple Outside Interfaces

You can definitely to do this in 8.0 (btw, the latest code I can find for the PIX is 8.0(4)).

Here is a link which explain how to do it

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Regards,

jerry

Hall of Fame Super Gold

Re: Cisco PIX 525 and Multiple Outside Interfaces

From the document linked above:

Note: Load balancing does not occur in this example.

That is the limitation I was referring to before. Primary/secondary links is easy, load balancing, not sure. A router does that without any problem.

Cisco Employee

Re: Cisco PIX 525 and Multiple Outside Interfaces

I don't see any where in the thread about a requirement for load sharing. Also, I am 100% with you on load sharing in the PIX/ASA.

Regards,

jerry

1322
Views
10
Helpful
10
Replies