Re: Two ISP - One Router - 1 PIX

In article <1149571714.798600.11460@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
-- <Aegaeus> wrote:
hi

Please don't top-post. It makes the conversation harder to follow,
and I have to manually edit the flow in order to produce a coherent
discussion. Also, please only quote selected portions of the
posting you are replying, instead of quoting the entire posting.

s.pedhiti@xxxxxxxxx yazdi:

Presently I have a setup like this ... We have 3600 Internal Router1
which is connected a switch1 and a PIX Firewall whose inside interface
is connected to the same switch1, and the outside interface of PIX is
directly connected to the ISP1. We have got 32 IPs from the ISP1 and we
have setup PAT, NAT and Static NaT.

Now we are planning to have another link from a different ISP2. I have
three ethernet ports on my PIX 515e firewall. already the outside and
inside are used and left is third port which i wanted to make use as
second outside port for the ISP2 and setup it up in such way that i get
redundant links, failover capalities.


i thing you dont work with pix to this topology. but if a router
connect to all ISP(ISP1, ISP2, etc.) and it run OSPF on it (router will
be "access router"), your links with redundent. on the PIX's default
gateway is router ethernet interface.

(ISP)----|------->router-----PIX--------switch
(ISP)----|

That configuration has the difficulty that if the outside router fails
or the single used PIX outside interface fails, then all connectivity
is lost. Sometimes that is an acceptable risk and sometimes that is not
an acceptable risk.

The configuration would also have to be carefully managed to ensure
that the outside router was able to reliably detect that the ISP links
had failed (and recovered.) That can be tricky, as it is possible
(and happens often) that the physical link stays up but the link stops
passing traffic.

Thirdly, that configuration is not able to deal gracefully with
connections that are already in progress: if you do NOT change the
return IP addresses when you switch between ISPs then rest of the Internet
will not be able to return packets to addresses in the dead ISP's IP range;
but if you DO change the return IP addresses when you switch between ISPs
then all existing connection-based connections (e.g., TCP) are going to
fail because of the IP mismatch.


I recommend that the OP read through the white papers at
Vincent C. Jones' web site, networkingunlimited.com
.

Relevant Pages

  • Re: Pix 501 and Local Network Router (No VPN Needed)
    ... If you are putting a router in between the PC's and the PIX then the inside ... interface of the PIX would have to be on a different subnet from the PC's. ... > fixup protocol dns maximum-length 512 ...
    (comp.dcom.sys.cisco)
  • Re: Port Forwarding Question
    ... I have a router with 2 interfaces. ... to the internet and the other interface connected to my LAN. ... forwarding for http trafficto a specific IP address in my LAN. ...
    (microsoft.public.windows.server.general)
  • Re: PIX 501 Basic Configuration
    ... :I have just been given a PIX 501 to configure and have very little ... :My configuration sounds simple, I do not want DHCP and I do not think I ... interface IP and you or your ISP must route the internal public IP subnet ... directing it to the inside router. ...
    (comp.dcom.sys.cisco)
  • Inbound connections on a 515e without NAT
    ... I have a PIX 5i5E configured that permits outbound connections ... However I can't get it to permit inbound ... global 1 interface ... Even though, if this worked, it would allow inbound connections to every system behind A.B.50.14 on the PIX. ...
    (comp.dcom.sys.cisco)
  • Multihomed Multi ISP/Internet - packets go out the wrong interface
    ... The 10.4.x.x also goes to a router whis is connected to an E1 Line. ... from both internet/ISP connections. ... but sends the replies out the wrong interface. ...
    (microsoft.public.windows.server.networking)