two default gataways

You can't. The Pix does not not have that capability. You will need to manually confiigure everything or you need to coordinate with both of your ISP's, get one of them to give you a large enough block of IP's, and setup BGP with them on your external routers.

Brian V napisa³(a):

Ok, thanks for replay but is it possible to do this on cisco 3845 router (or on two routers) not interacting with ISP's

Yes, possibly.

You can do a ping for example and then influence the routing table depending on the results.

Static Routing Backup Using Object Tracking

point the right way.

If there is a WAN router, then the WAN router could send two default RIP routes with different metrics, removing the route for the primary ISP when the WAN router detects that the primary ISP is down. This approach has several hidden problems that usually make it a not-very-good choice. For more details on the problems, see the whitepapers on networkingunlimited.com; Vincent C. Jones has put a lot of experience into writing up the hidden problems with redundant networks.

The PIX model was not mentioned, just the software version. If the model is a PIX 506, 506E, 515, 515E, 520, 525, or 535, then the original poster could have a WAN router sending OSPF routing information to the PIX. When OSPF is used, the PIX itself can select different output interfaces (it can't really do that with RIP), and thus could NAT differently when the secondary ISP was in use, which reduces one of the major routing difficulties, but still gives you problems about existing connections. (Using different interfaces with the 506 or 506E would require that your WAN router supports VLANs, and there is a limitation in PIX 6.3 that a VLAN'd interface cannot initiate a VPN tunnel.)

If you need existing connections to continue going without interruption, then you will, as you describe, need to arrange BGP peering with both ISPs; whether they will cooperate or not will depend on how much you are paying them (e.g., -usually- they would not be willing to do it for ADSL or "cable modem", but they might be willing for SDSL or T1 lines or fibre.)

Guys can we do his with HSRP ?????????

CK

Walter Robers> >

PIX 6 has no direct HSRP support; I don't know about PIX 7.

You can set up HSRP on the WAN equipment outside the PIX, and you can set the PIX's default route to be the virtual HSRP address.

But then you still have problems having the HSRP -reliably- detecting that the primary ISP is not usable (it is common for ISPs to go down in their internal network, leaving your link to their equipment "up").

You also still have problems abotu source addresses and returning packets -- if you don't change the source addresses of packets as they go out, then unless you have arranged BGP, the packets with the source IP in the range belonging to the primary ISP are not going to return via the secondary ISP because the secondary ISP is not going to know anything about how to route those packets except to send them on to the (broken) primary ISP. And if you do change source addresses for packets in mid connection, then the remote ends of the connection are not going to recognize the packets as being part of the sequence.

Reliable Static Routing Backup Using Object Tracking

May point the right way.

Nice feature :) thanks

> Reliable Static Routing Backup Using Object Tracking

> May point the right way.

Something like this will work fine if you were not using the Pix. The pix is going to be doing your primary NAT and rules. You cannot have multiple NAT's on the Pix for the same internal going to multiple externals, ie internal mail server to IPS1's IP and internal mail server to IPS2's IP

Everyone has given you some great ideas....as I said earlier, you cannot do this with the Pix alone.

With the 3845 it is possible.....for outbound services only....your inbound will not work and the "failover ISP" will not be routing your primary DNS names and IP's unless you use the same IP block between the 2 ISP's using BGP. Now you could get very creative using secondary MX and DNS entires out there and do one to one statics on the 3845 for ISP2's IP's. That would be a management nightmare.....just run BGP, it's easy, it's clean and it's straight forward. You got a 3845 so you alreay have the equipment, you only now need to get the ISP's on board and perhaps a feature license upgrade on the 3845.

Without using BGP you would need to do it this way, this would only work for outbound traffic unless you get creative with DNS costing. You could use the above links and do object tracking as well rather than simple costed static routes I use below.

You said they are handing you ethernet so I'm assuming there are no "wan" IP's involved, ie /30's.

Lets say ISP1 is your primary ISP you use for your inbound services and you use 1.1.1.X IP's with them.

ISP2 is your backup ISP and they use 2.2.2.X

G0/0 on the 3845 goes to ISP1 G0/1 on the 3845 goes to ISP2 G0/2 on the 3845 goes to the Pix

G0/0 uses ipunnumbered G0/2 G0/1 uses ISP2's first usable IP G0/2 uses ISP1's first usable IP

on the 3845 you build a NAT pool using ISP2's IP addresses, overloading G0/1 G0/2 gets ip nat inside G0/1 gets ip nat outside

The 3845 gets 2 default routes, ISP2's being costed. You can also use object tracking here as the other poster suggested.

0.0.0.0 0.0.0.0 G0/0 0.0.0.0 0.0.0.0