PIX 515E and 2 ISP

Discussion in 'Cisco' started by =?iso-8859-2?Q?S=B3awek?=, Mar 21, 2006.

  1. Hi.

    Does anybody know if it is possible to configure PIX 515E UR with 2 different
    ISP connections? I don't want to have any Load Balancig, BGP or redundancy, just
    some hosts from DMZ I'd like to bind with one ISP and some with another and some
    part of my inside LAN bind with one ISP and some part with another. I've found
    some sample configuration to do this wit Cisco Router but this configuration
    doesn't match with PIX IOS (I've got 7.0(1) software version).

    Thanks for any advise.
    Regards Slawek.
     
    =?iso-8859-2?Q?S=B3awek?=, Mar 21, 2006
    #1
    1. Advertising

  2. =?iso-8859-2?Q?S=B3awek?=

    ekn Guest

    Under 7.0 (this is speculation) I have not tired 7.0 but you may be
    able to use the new context features. If i understand the following
    passage correctly you could in theory separate the lan into vlan sand
    point those vlan segments to different virtual firewalls.

    Q. What does Security Context in PIX mean?

    A. You can partition a single hardware PIX into multiple virtual
    devices, known as Security Contexts. Each context becomes an
    independent device, with its own security policy, interfaces, and
    administrators. Multiple contexts are similar to having multiple
    standalone devices. Many features are supported in multiple context
    mode and include routing tables, firewall features, IPS, and
    management. Some features are not supported, including VPN and dynamic
    routing protocols.

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q1

    Under 6.3(5) , It would be most difficult (if not impossible) without
    another router in between the pix and then INET connections. As for
    splitting the internal lan, the pix does not have a way of
    diffrentiating between who goes where.


    The official answer.

    Q. Can I connect two different ISPs to my Cisco Secure PIX Firewall
    (for load-balancing)?

    A. No, you cannot load-balance on the PIX. The Cisco Secure PIX
    Firewall is designed to handle only one default route. When you connect
    two ISPs to a single PIX, it means that the Firewall needs to make
    routing decisions at a much more intelligent level. Instead, use a
    gateway router outside the PIX so that the PIX continues to send all of
    its traffic to one router. That router can then route/load-balance
    between the two ISPs. An alternative is to have two routers outside the
    PIX using Hot Standby Router Protocol (HSRP) and set the default
    gateway of the PIX to be the virtual HSRP address. Alternatively, (if
    possible) you can use Open Shortest Path First (OSPF) which supports
    load balancing among a maximum of three peers on a single interface.

    http://www.cisco.com/warp/public/110/pixfaq.shtml
     
    ekn, Mar 21, 2006
    #2
    1. Advertising

  3. =?iso-8859-2?Q?S=B3awek?=

    ekn Guest

    Under 7.0 (this is speculation) I have not tired 7.0 but you may be
    able to use the new context features. If i understand the following
    passage correctly you could in theory separate the lan into vlan sand
    point those vlan segments to different virtual firewalls.

    Q. What does Security Context in PIX mean?

    A. You can partition a single hardware PIX into multiple virtual
    devices, known as Security Contexts. Each context becomes an
    independent device, with its own security policy, interfaces, and
    administrators. Multiple contexts are similar to having multiple
    standalone devices. Many features are supported in multiple context
    mode and include routing tables, firewall features, IPS, and
    management. Some features are not supported, including VPN and dynamic
    routing protocols.

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q1

    Under 6.3(5) , It would be most difficult (if not impossible) without
    another router in between the pix and then INET connections. As for
    splitting the internal lan, the pix does not have a way of
    diffrentiating between who goes where.


    The official answer.

    Q. Can I connect two different ISPs to my Cisco Secure PIX Firewall
    (for load-balancing)?

    A. No, you cannot load-balance on the PIX. The Cisco Secure PIX
    Firewall is designed to handle only one default route. When you connect
    two ISPs to a single PIX, it means that the Firewall needs to make
    routing decisions at a much more intelligent level. Instead, use a
    gateway router outside the PIX so that the PIX continues to send all of
    its traffic to one router. That router can then route/load-balance
    between the two ISPs. An alternative is to have two routers outside the
    PIX using Hot Standby Router Protocol (HSRP) and set the default
    gateway of the PIX to be the virtual HSRP address. Alternatively, (if
    possible) you can use Open Shortest Path First (OSPF) which supports
    load balancing among a maximum of three peers on a single interface.

    http://www.cisco.com/warp/public/110/pixfaq.shtml
     
    ekn, Mar 21, 2006
    #3
  4. U¿ytkownik "ekn" <> napisa³ w wiadomo¶ci
    news:...
    > Under 7.0 (this is speculation) I have not tired 7.0 but you may be
    > able to use the new context features. If i understand the following
    > passage correctly you could in theory separate the lan into vlan sand
    > point those vlan segments to different virtual firewalls.


    Yes, you are right. I've red about Multiple Security Contexts in Cisco PIX
    documetation and it seems to be this what I need. One physical PIX using
    Multiple Security Contexts you can separate multiple logical devices. In
    Multiple Security Contexts you can only use static routes and cannot use VPN. To
    enable Multiple Security Contexts rebooting PIX is needed, so I cannot do this
    now because this is in productive environmet but I'll have to try this later.
    Thanks for this advise.
    Regards Slawek.
     
    =?iso-8859-2?Q?S=B3awek?=, Mar 22, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. How can I be down
    Replies:
    0
    Views:
    442
    How can I be down
    Oct 15, 2003
  2. Dustin
    Replies:
    3
    Views:
    674
    Matty M
    Nov 8, 2005
  3. Speed3ple
    Replies:
    0
    Views:
    3,067
    Speed3ple
    Apr 4, 2006
  4. Scooter133
    Replies:
    4
    Views:
    1,207
    David Henzler
    Mar 12, 2009
  5. sintral
    Replies:
    3
    Views:
    770
    sintral
    May 30, 2010
Loading...

Share This Page