Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 515E and 2 ISP

Reply
Thread Tools

PIX 515E and 2 ISP

 
 
=?iso-8859-2?Q?S=B3awek?=
Guest
Posts: n/a
 
      03-21-2006
Hi.

Does anybody know if it is possible to configure PIX 515E UR with 2 different
ISP connections? I don't want to have any Load Balancig, BGP or redundancy, just
some hosts from DMZ I'd like to bind with one ISP and some with another and some
part of my inside LAN bind with one ISP and some part with another. I've found
some sample configuration to do this wit Cisco Router but this configuration
doesn't match with PIX IOS (I've got 7.0(1) software version).

Thanks for any advise.
Regards Slawek.

 
Reply With Quote
 
 
 
 
ekn
Guest
Posts: n/a
 
      03-21-2006
Under 7.0 (this is speculation) I have not tired 7.0 but you may be
able to use the new context features. If i understand the following
passage correctly you could in theory separate the lan into vlan sand
point those vlan segments to different virtual firewalls.

Q. What does Security Context in PIX mean?

A. You can partition a single hardware PIX into multiple virtual
devices, known as Security Contexts. Each context becomes an
independent device, with its own security policy, interfaces, and
administrators. Multiple contexts are similar to having multiple
standalone devices. Many features are supported in multiple context
mode and include routing tables, firewall features, IPS, and
management. Some features are not supported, including VPN and dynamic
routing protocols.

http://www.cisco.com/en/US/products/...b87d8.shtml#q1

Under 6.3(5) , It would be most difficult (if not impossible) without
another router in between the pix and then INET connections. As for
splitting the internal lan, the pix does not have a way of
diffrentiating between who goes where.


The official answer.

Q. Can I connect two different ISPs to my Cisco Secure PIX Firewall
(for load-balancing)?

A. No, you cannot load-balance on the PIX. The Cisco Secure PIX
Firewall is designed to handle only one default route. When you connect
two ISPs to a single PIX, it means that the Firewall needs to make
routing decisions at a much more intelligent level. Instead, use a
gateway router outside the PIX so that the PIX continues to send all of
its traffic to one router. That router can then route/load-balance
between the two ISPs. An alternative is to have two routers outside the
PIX using Hot Standby Router Protocol (HSRP) and set the default
gateway of the PIX to be the virtual HSRP address. Alternatively, (if
possible) you can use Open Shortest Path First (OSPF) which supports
load balancing among a maximum of three peers on a single interface.

http://www.cisco.com/warp/public/110/pixfaq.shtml

 
Reply With Quote
 
 
 
 
ekn
Guest
Posts: n/a
 
      03-21-2006
Under 7.0 (this is speculation) I have not tired 7.0 but you may be
able to use the new context features. If i understand the following
passage correctly you could in theory separate the lan into vlan sand
point those vlan segments to different virtual firewalls.

Q. What does Security Context in PIX mean?

A. You can partition a single hardware PIX into multiple virtual
devices, known as Security Contexts. Each context becomes an
independent device, with its own security policy, interfaces, and
administrators. Multiple contexts are similar to having multiple
standalone devices. Many features are supported in multiple context
mode and include routing tables, firewall features, IPS, and
management. Some features are not supported, including VPN and dynamic
routing protocols.

http://www.cisco.com/en/US/products/...b87d8.shtml#q1

Under 6.3(5) , It would be most difficult (if not impossible) without
another router in between the pix and then INET connections. As for
splitting the internal lan, the pix does not have a way of
diffrentiating between who goes where.


The official answer.

Q. Can I connect two different ISPs to my Cisco Secure PIX Firewall
(for load-balancing)?

A. No, you cannot load-balance on the PIX. The Cisco Secure PIX
Firewall is designed to handle only one default route. When you connect
two ISPs to a single PIX, it means that the Firewall needs to make
routing decisions at a much more intelligent level. Instead, use a
gateway router outside the PIX so that the PIX continues to send all of
its traffic to one router. That router can then route/load-balance
between the two ISPs. An alternative is to have two routers outside the
PIX using Hot Standby Router Protocol (HSRP) and set the default
gateway of the PIX to be the virtual HSRP address. Alternatively, (if
possible) you can use Open Shortest Path First (OSPF) which supports
load balancing among a maximum of three peers on a single interface.

http://www.cisco.com/warp/public/110/pixfaq.shtml

 
Reply With Quote
 
=?iso-8859-2?Q?S=B3awek?=
Guest
Posts: n/a
 
      03-22-2006

Użytkownik "ekn" <(E-Mail Removed)> napisał w wiadomości
news:(E-Mail Removed) oups.com...
> Under 7.0 (this is speculation) I have not tired 7.0 but you may be
> able to use the new context features. If i understand the following
> passage correctly you could in theory separate the lan into vlan sand
> point those vlan segments to different virtual firewalls.


Yes, you are right. I've red about Multiple Security Contexts in Cisco PIX
documetation and it seems to be this what I need. One physical PIX using
Multiple Security Contexts you can separate multiple logical devices. In
Multiple Security Contexts you can only use static routes and cannot use VPN. To
enable Multiple Security Contexts rebooting PIX is needed, so I cannot do this
now because this is in productive environmet but I'll have to try this later.
Thanks for this advise.
Regards Slawek.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 515E Changing from DSL to Cable ISP sintral Cisco 3 05-30-2010 01:38 PM
PIX 515e IOS 7.0(5) and when the Power goes out, the PIX reboots toBoot Monitor Scooter133 Cisco 4 03-12-2009 12:47 AM
Cisco System PIX 515E - Memory and PIX OS upgrade Speed3ple Cisco 0 04-04-2006 10:24 AM
Replacing a PIX 515E with a PIX 515 Dustin Cisco 3 11-08-2005 11:06 PM
Re: PIX 515e and Multiple ISP's..Can it be done? How can I be down Cisco 0 10-15-2003 05:14 PM



Advertisments