«

Pretty new at this (I'm a server guy) and just started at this company
so bear with me. We currently have 2 T-1's, one from Verizon and
another from NetCarrier. Each T1 uses it's own router. We also have a
PIX 515E (6.3 software). Neither the Verizon router or the PIX are
currently in use (that's right, no firewall right now). I'd like to
use both routers as a type of failover solution...so that if one goes
down, Internet access will still be available out the other router (no
need for incoming to be redundant, just outgoing). I'm assuming both
inside interfaces on the routers will go into a switch and then into
the external interface of the PIX. What is needed on the PIX to do
what I'm asking? I've been reading about OSPF, is that what I need to
use? And does that need to run on all 3 devices or just on the PIX?
Is there an easier solution? Appreciate any direction on this.

Brucefan wrote:

> Pretty new at this (I'm a server guy) and just started at this company
> so bear with me. We currently have 2 T-1's, one from Verizon and
> another from NetCarrier. Each T1 uses it's own router. We also have a
> PIX 515E (6.3 software). Neither the Verizon router or the PIX are
> currently in use (that's right, no firewall right now). I'd like to
> use both routers as a type of failover solution...so that if one goes
> down, Internet access will still be available out the other router (no
> need for incoming to be redundant, just outgoing). I'm assuming both
> inside interfaces on the routers will go into a switch and then into
> the external interface of the PIX. What is needed on the PIX to do
> what I'm asking? I've been reading about OSPF, is that what I need to
> use? And does that need to run on all 3 devices or just on the PIX?
> Is there an easier solution? Appreciate any direction on this.

Have a read on hot standby router protocol. Also some pixes come with a
failover license and have a port on the pix to connect two together for
this purpose (you need a special cable).

Flamer.

In article <. com>,
Brucefan <> wrote:

>Each T1 uses it's own router. We also have a
>PIX 515E (6.3 software). Neither the Verizon router or the PIX are
>currently in use (that's right, no firewall right now). I'd like to
>use both routers as a type of failover solution...so that if one goes
>down, Internet access will still be available out the other router

>What is needed on the PIX to do
>what I'm asking? I've been reading about OSPF, is that what I need to
>use? And does that need to run on all 3 devices or just on the PIX?

If you need the access to continue without interruption, then you
will need to get an AS assignment and arrange BGP with *both*
ISPs, both of whom will be happy to say that any problems are
some else's fault. [Sorry, cynicism is an occupational hazard.]

If you are okay with a disruption in service (i.e., all active
connections lost) then Yes, you can arrange OSPF on all of the
devices, and some kind of detection of link loss to change the
routing.

If you connect both routers to a switch that is then
connected to the outside interface of the PIX, then as far as
the PIX is concerned, you might as well use RIP instead of OSPF.
Unfortunately with that setup, you introduce a new single point
failure, namely the switch.

If you connect the routers to -different- interfaces, that's when
OSPF comes into play: when you use RIP, the PIX doesn't like
switching interfaces, but it can do it with OSPF.

Be sure to have a look at the whitepapers on Vincent Jone's site,
networkingunlimited.com .

* Brucefan wrote:
> use both routers as a type of failover solution...so that if one goes
> down, Internet access will still be available out the other router (no
> need for incoming to be redundant, just outgoing). I'm assuming both

Beside the other proposals you can push the redundancy level by using an
Active-Active Failover and multiple contexts in the PIX. This allows you to
remove the SPOF between the routers and the PIX.

Hi There,

I think following steps will help you in acheiving what you want to do:

1. Configure HSRP on internet facing routers. Track their internet
links, so that transition will happen when internet link of the primary
router fails.
2. Configure the virtual HSRP IP Address as default gateway on your
PIX.

This will ensure that you are shifted to the other link once the
primary link goes down, but you would not be able to do load balancing
over both the links. If you want to do load balancing as well, then you
can configure two HSRP groups (Cisco site gives details of how to
configure load balancing using HSRP). You can also try to configure
GLBP on internet facing routers insteand of HSRP for load balancing.

Hope this helps.

Best Regards
Nandan

Walter Roberson wrote:

> In article <. com>,
> Brucefan <> wrote:
>
>>Each T1 uses it's own router. We also have a
>>PIX 515E (6.3 software). Neither the Verizon router or the PIX are
>>currently in use (that's right, no firewall right now). I'd like to
>>use both routers as a type of failover solution...so that if one goes
>>down, Internet access will still be available out the other router
>
>>What is needed on the PIX to do
>>what I'm asking? I've been reading about OSPF, is that what I need to
>>use? And does that need to run on all 3 devices or just on the PIX?
>
> If you need the access to continue without interruption, then you
> will need to get an AS assignment and arrange BGP with *both*
> ISPs, both of whom will be happy to say that any problems are
> some else's fault. [Sorry, cynicism is an occupational hazard.]
>
> If you are okay with a disruption in service (i.e., all active
> connections lost) then Yes, you can arrange OSPF on all of the
> devices, and some kind of detection of link loss to change the
> routing.
>
> If you connect both routers to a switch that is then
> connected to the outside interface of the PIX, then as far as
> the PIX is concerned, you might as well use RIP instead of OSPF.
> Unfortunately with that setup, you introduce a new single point
> failure, namely the switch.
>
> If you connect the routers to -different- interfaces, that's when
> OSPF comes into play: when you use RIP, the PIX doesn't like
> switching interfaces, but it can do it with OSPF.
>
> Be sure to have a look at the whitepapers on Vincent Jones' site,
> networkingunlimited.com .

Good answer, but like the other answers I've seen so far, it ignores the
fact that as proposed, at least one of the ISP routers must do NAT rather
than (or in addition to) the PIX. I suspect that at the current time, each
ISP is providing a unique range of public IP addresses, and expects your
firewall to do any NAT required to make them work. If you use RIP or OSPF
to switch between routers, your source addresses will be wrong for at least
one of the ISPs unless their router is configured to NAT from the other
providers public addresses assigned to you to their public addresses
assigned to you.

If you can't get at least one of the ISPs to cooperate, you will need to
make your routing decisions inside your firewall and apply the appropriate
NAT for the ISP which is to be used. Reliably detecting when an ISP is not
useable can be a challenge, as few ISPs are willing to run a routing
protocol other than BGP over their access lines, although you can use BGP
without implementing dual homing if your ISPs are willing.

See the brief white paper on my web site, think over your options, then read
through Chapter 8 of my book for example approaches and their pitfalls.
Bottom line is that it is very easy to connect to two ISPs, but the devil
is in the details of getting those redundant connections to function
together correctly so they actually improve functional availability.

Good luck and have fun!
--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com

In article <lmRBg.2974$>,
Vincent C Jones <> wrote:
>Walter Roberson wrote:

>> If you connect the routers to -different- interfaces, that's when
>> OSPF comes into play: when you use RIP, the PIX doesn't like
>> switching interfaces, but it can do it with OSPF.

>Good answer, but like the other answers I've seen so far, it ignores the
>fact that as proposed, at least one of the ISP routers must do NAT rather
>than (or in addition to) the PIX. I suspect that at the current time, each
>ISP is providing a unique range of public IP addresses, and expects your
>firewall to do any NAT required to make them work. If you use RIP or OSPF
>to switch between routers, your source addresses will be wrong for at least
>one of the ISPs unless their router is configured to NAT from the other
>providers public addresses assigned to you to their public addresses
>assigned to you.

If you use OSPF to select between PIX interfaces, then the
interfaces can have different NAT rules, which gets around the issue
you are discussing.

[I see that I didn't write about that in my answer, but I distinctly
recall that I was -thinking- about that when I wrote my answer ]

[sumdingwong]

Take a look at this site and see if you get any ideas:
http://www.blindhog.net/?p=7