pix 515e, two internet connections

Do you have a spare router that will support the IOS firewall feature set?

If so you could use that initially to check out the ISP.

Sure you can have 2 ISP's I guess by using policy nat you can route traffic based on its orgininatig source!

Julian Dragut ha escrito:

It would be nice if that works. I've fuzzed with it for some of hours but can't make it work. Can you please give some pointers?

--ph

The original thread has either expired here or has not made it here, so I do not have the original question available.

The PIX 515E supports PIX 7.x, but I have not had a chance to study what can be done in PIX 7.x.

In PIX 6.3, there is no way to use policy NAT (or anything else) to route traffic based upon the originating address [with the possible exception of using OSPF with a route-map]. [Except for OSPF] routing in PIX 4/5/6 is always based only upon the destination address.

You can "have 2 ISP's" only:

- if you can handle the situation through OSPF; or

- if you can statically route the traffic, such as sending all traffic destined to 11/8 (Apple) through one of the ISPs; or

- if the WAN router [or routers] send the PIX RIP routes, then the PIX can select the next hop based upon the RIP information. This would allow you to have two default routes with different priorities sent to the PIX; the PIX would use the lower-cost one as long as it was being received, and would switch to the higher-cost one if the lower-cost one stopped for sufficiently long; this would give you *some* fail-over.

If the two RIP routes were being received through different interfaces and there were different NAT rules for the different interfaces, the source IPs of the packets would change when going to the other interface, which would allow the second ISP to get the replies back to you. However, PIX's active security tables are per-interface, so you would break all existing traffic flows when you did this. You would also likely have problems with VPNs that get moved to the new interface.

PIX 7.x allows an active-active failover configuration. In this setup you can connect to two independent ISPs and erronously received packets (on the wrong pix) are rerouted so that the connection tables are satisfied.

I'd recomment using two PIXes and the described scenario. You might lend one for the test phase. OTOH because it's a FAILOVER setup, you can setup your single PIX to this configuration and leave the failover machine out. ;-)

Have fun.

Walter Roberson ha escrito: [...]

Yes, that's what I want (I will not use it for failover).

I did it like this (it seems to work) (pretending that ip's from ISP1 are 1.1.1.0/29 and ip's from ISP2 are 2.2.2.0/29)

nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security50 nameif ethernet3 ISPN security50

ip address outside 1.1.1.2 255.255.255.248 ip address inside 10.1.1.1 255.255.255.0 ip address DMZ 10.1.2.1 255.255.255.0 ip address ISPN 2.2.2.2 255.255.255.248

global (outside) 1 interface global (ISPN) 1 interface nat (inside) 1 10.1.1.0 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 route ISPN 130.239.18.151 255.255.255.255 2.2.2.1 1

Thanks!

--ph

Lutz Donnerhacke ha escrito:

I'm trying to select ISP based on destination now, maybe I try this setup later. Thanks!

yeah, right...

--ph