Multiple Gateways 1

[TalentedFool]

Background info - want my network to connect to 2 different ISP's using 2 sets of IP address's. I thought about at first having the PIX with multiple gateways but I now know from reading this forum that that is not possible. The main pointer everybody has given is to get the router to do the dirty work - not a problem there (I think)

My question though is how, do I configure my PIX to access the multi gateways on the router. I can set up my inside and outside IP addresses for one ISP but how do I do it for two?

Do I give the PIX a generic IP address for the router ?

eg. if ISP 1 is 1.2.3.4 and ISP 2 is 4.3.2.1 do I tell the pix that it's gateway is 5.6.7.8 and configure the router to use 1.2.3.4 and 4.3.2.1 ?

Does that make sense ?



~ Remember - Nothing is Fool Proof to a Talented Fool ~

 

[themut]

You are correct! You need a router to connect to both ISP and configure either HSRP or policy based routing on this router. Let's say you have router A and it has three ports; port 1 for ISP 1, port 2 for ISP 2 and port 3 for the connection to the PIX. On the PIX all you have to do is configure a default route pointing to port 3. Hope it makes sense

 

[baddos]

The PIX will support multiple gateways, however it won't support multiple subnets on the outside interface without using VLANs.

It *might* work if you setup a vlan trunk on the outside interface. You'll need at least PIX OS 6.3.1. You'll setup ISP1's router on one vlan, and the other router on the other. The PIX will be a member of both VLANs, and will have two default routes to your routers.

I think that might work, but I have never tried it. It's definately worth some time in a lab.

 

[routerman]

I have set up a similar system, using 2 ISP's. The way I did it was to connect each ISP into a different interface in the PIX, and use inbound NAT to `spoof' the outside source IP addresses. This way I could determine source of the outside IP address ranges, so could write routes in the PIX to control the return traffic.

Reason I did this was to provide Internal users default access to the Internet using a default route via the outside interface security 0, and routes back to VPN via another interface.

It may help you?

 

[AgentK]

Talented,
Have you tried Multiple Global Pools?
Like this
global (outside) 1 1.2.3.4-1.2.3.254 netmask 255.255.255.192
global (outside) 1 4.3.1.2-4.3.1.254 netmask 255.255.255.192
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Note: The network 4.3.2.1 would not xlate until all ip from 1.2.3.4 in use. But if you have 2 network for example, then you may want to do this.
global (outside) 1 1.2.3.4-1.2.3.254 netmask 255.255.255.192
nat (inside) 1 172.16.0.0 255.255.0.0
global (outside) 2 4.3.1.2-4.3.1.254 netmask 255.255.255.0
nat (inside) 2 172.17.0.0 255.255.0.0*
This way, the router can make routing decision as to which gateway to route.
Let me know if this help

K
*=RFC 1918

 

[TalentedFool]

AgentK

That worked perfectly after a bit of messing about with my internal IP addresses.

I've now got two internet subnets NATing to two ISP's IP addresses.

Just need to configure my router now .. so on to the router page

~ Remember - Nothing is Fool Proof to a Talented Fool ~