Dual routers and PIX question

Pretty new at this (I'm a server guy) and just started at this company so bear with me. We currently have 2 T-1's, one from Verizon and another from NetCarrier. Each T1 uses it's own router. We also have a PIX 515E (6.3 software). Neither the Verizon router or the PIX are currently in use (that's right, no firewall right now). I'd like to use both routers as a type of failover solution...so that if one goes down, Internet access will still be available out the other router (no need for incoming to be redundant, just outgoing). I'm assuming both inside interfaces on the routers will go into a switch and then into the external interface of the PIX. What is needed on the PIX to do what I'm asking? I've been reading about OSPF, is that what I need to use? And does that need to run on all 3 devices or just on the PIX? Is there an easier solution? Appreciate any direction on this.

Reply to
Brucefan
Loading thread data ...

Have a read on hot standby router protocol. Also some pixes come with a failover license and have a port on the pix to connect two together for this purpose (you need a special cable).

Flamer.

Reply to
die.spam

If you need the access to continue without interruption, then you will need to get an AS assignment and arrange BGP with *both* ISPs, both of whom will be happy to say that any problems are some else's fault. [Sorry, cynicism is an occupational hazard.]

If you are okay with a disruption in service (i.e., all active connections lost) then Yes, you can arrange OSPF on all of the devices, and some kind of detection of link loss to change the routing.

If you connect both routers to a switch that is then connected to the outside interface of the PIX, then as far as the PIX is concerned, you might as well use RIP instead of OSPF. Unfortunately with that setup, you introduce a new single point failure, namely the switch.

If you connect the routers to -different- interfaces, that's when OSPF comes into play: when you use RIP, the PIX doesn't like switching interfaces, but it can do it with OSPF.

Be sure to have a look at the whitepapers on Vincent Jone's site, networkingunlimited.com .

Reply to
Walter Roberson

Beside the other proposals you can push the redundancy level by using an Active-Active Failover and multiple contexts in the PIX. This allows you to remove the SPOF between the routers and the PIX.

Reply to
Lutz Donnerhacke

Hi There,

I think following steps will help you in acheiving what you want to do:

  1. Configure HSRP on internet facing routers. Track their internet links, so that transition will happen when internet link of the primary router fails.
  2. Configure the virtual HSRP IP Address as default gateway on your PIX.

This will ensure that you are shifted to the other link once the primary link goes down, but you would not be able to do load balancing over both the links. If you want to do load balancing as well, then you can configure two HSRP groups (Cisco site gives details of how to configure load balancing using HSRP). You can also try to configure GLBP on internet facing routers insteand of HSRP for load balancing.

Hope this helps.

Best Regards Nandan

Reply to
Nandan

Good answer, but like the other answers I've seen so far, it ignores the fact that as proposed, at least one of the ISP routers must do NAT rather than (or in addition to) the PIX. I suspect that at the current time, each ISP is providing a unique range of public IP addresses, and expects your firewall to do any NAT required to make them work. If you use RIP or OSPF to switch between routers, your source addresses will be wrong for at least one of the ISPs unless their router is configured to NAT from the other providers public addresses assigned to you to their public addresses assigned to you.

If you can't get at least one of the ISPs to cooperate, you will need to make your routing decisions inside your firewall and apply the appropriate NAT for the ISP which is to be used. Reliably detecting when an ISP is not useable can be a challenge, as few ISPs are willing to run a routing protocol other than BGP over their access lines, although you can use BGP without implementing dual homing if your ISPs are willing.

See the brief white paper on my web site, think over your options, then read through Chapter 8 of my book for example approaches and their pitfalls. Bottom line is that it is very easy to connect to two ISPs, but the devil is in the details of getting those redundant connections to function together correctly so they actually improve functional availability.

Good luck and have fun!

Reply to
Vincent C Jones

If you use OSPF to select between PIX interfaces, then the interfaces can have different NAT rules, which gets around the issue you are discussing.

[I see that I didn't write about that in my answer, but I distinctly recall that I was -thinking- about that when I wrote my answer ;-) ]
Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.