Two ISP -Two Routers - 1 PIX

Discussion in 'Cisco' started by James Parks, Dec 8, 2003.

  1. James Parks

    James Parks Guest

    I'm trying to figure out how to deploy this. What would you do?

    I have two ISP's. I have two routers (2621) that connect to each ISP both
    gave me 30 routable IPs. I'd like to setup some type of redundant
    connection. BGP is out of the question. I understand that failover wont
    work from outside coming in, but inside going out can be achieved. The PIX
    515 I have has 6 interfaces. Should I configure the 2nd ISP on one of the
    other interfaces? or get another PIX (506e) and have two default gateways w/
    policy mapping on my internal router (3640)? Say if ISPA goes down, we call
    our clients and they connect to ISPB.

    Any advice would be helpful.
    James Parks, Dec 8, 2003
    #1
    1. Advertising

  2. In article <>,
    James Parks <> wrote:

    :I'm trying to figure out how to deploy this. What would you do?

    :I have two ISP's. I have two routers (2621) that connect to each ISP both
    :gave me 30 routable IPs. I'd like to setup some type of redundant
    :connection. BGP is out of the question. I understand that failover wont
    :work from outside coming in, but inside going out can be achieved. The PIX
    :515 I have has 6 interfaces. Should I configure the 2nd ISP on one of the
    :eek:ther interfaces? or get another PIX (506e) and have two default gateways w/
    :policy mapping on my internal router (3640)? Say if ISPA goes down, we call
    :eek:ur clients and they connect to ISPB.

    "Redundant connection" can mean a number of different things.

    If you want your inside hosts to be able to get out even if one of the
    ISPs goes down, then if you have PIX 6.3 you can set up OSPF on the
    routers to send the PIX floating static routes, each sending the route
    to its own ISP with high priority and the route to the other ISP with
    low priority. When an interface goes down, the associated 2621 would
    stop sending the OSPF route, and the high priority route to that ISP
    would disappear from inside the PIX, leaving only the low priority route
    via the other 2621.

    (You just might be able to do something similar with RIP; I'm not sure.)

    --
    Tenser, said the Tensor.
    Tenser, said the Tensor.
    Tension, apprehension,
    And dissension have begun. -- Alfred Bester (tDM)
    Walter Roberson, Dec 8, 2003
    #2
    1. Advertising

  3. James Parks

    James Parks Guest

    Walter,

    Thanks for the reply. So you I run a routing protocol between the
    routers, but I would plug the 2nd router into a third interface of the PIX?
    I just want to understand you correctly.

    Regards,




    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:br2rku$faj$...
    > In article <>,
    > James Parks <> wrote:
    >
    > :I'm trying to figure out how to deploy this. What would you do?
    >
    > :I have two ISP's. I have two routers (2621) that connect to each ISP

    both
    > :gave me 30 routable IPs. I'd like to setup some type of redundant
    > :connection. BGP is out of the question. I understand that failover wont
    > :work from outside coming in, but inside going out can be achieved. The

    PIX
    > :515 I have has 6 interfaces. Should I configure the 2nd ISP on one of

    the
    > :eek:ther interfaces? or get another PIX (506e) and have two default gateways

    w/
    > :policy mapping on my internal router (3640)? Say if ISPA goes down, we

    call
    > :eek:ur clients and they connect to ISPB.
    >
    > "Redundant connection" can mean a number of different things.
    >
    > If you want your inside hosts to be able to get out even if one of the
    > ISPs goes down, then if you have PIX 6.3 you can set up OSPF on the
    > routers to send the PIX floating static routes, each sending the route
    > to its own ISP with high priority and the route to the other ISP with
    > low priority. When an interface goes down, the associated 2621 would
    > stop sending the OSPF route, and the high priority route to that ISP
    > would disappear from inside the PIX, leaving only the low priority route
    > via the other 2621.
    >
    > (You just might be able to do something similar with RIP; I'm not sure.)
    >
    > --
    > Tenser, said the Tensor.
    > Tenser, said the Tensor.
    > Tension, apprehension,
    > And dissension have begun. -- Alfred Bester (tDM)
    James Parks, Dec 9, 2003
    #3
  4. Hmm, I think you have the gist of it but he's going to need more. First,
    you don't "send" floating static
    routes, but you can change the metric of redistributed static routes via
    OSPF thereby influencing the preferred route. Second, what is there to
    send to the PIX besides a default in this case? I don't follow your
    statement "each sending the route to its own ISP with high priority and the
    route to the other ISP with low priority.". What "route" to its own ISP,
    default? Doesn't make sense, but it doesn't matter.

    If all you are looking for is ISP2 to backup ISP1, yes you should use a
    dynamic protocol, peferrably OSPF in 6.3. You can use two interfaces on the
    PIX if you like. For example ISP1 on the outside interface and ISP2 on
    another interface you could name "outside2", with security0 (yes, you can).
    I strongly recommend making "outside2" security0 as two interfaces with the
    same security level cannot communicate with each other. This allows for
    easy isolation of the two ISPs. The outside IP address would be one of the
    30 from ISP1 and the ethernet on ISP1's router would be another. Same with
    ISP2. Alternatively you can use one pix interface with VLANs but it's a
    little more straightforward to just use two interfaces. Set a default
    static on each router pointing to its respective ISP. On the routers,
    redestribute this static route into OSPF, use a higher metric on ISP2's
    router to make the default less attractive to the PIX. Or, if you don't
    care which ISP is primary and which is the backup, just redistribute the
    route on both with the defaults and let the PIX choose. If the primary goes
    away, you'll have the other one there.

    You'll then setup a nat for the inside and a global for outside and
    outside2. For example, to PAT on the IP address of the outside and outside2
    IP addresses, you would use:

    nat (inside) 1 192.168.0.0 255.255.0.0
    global (outside) 1 interface
    global (outside2) 1 interface

    This would save the rest of your addresses for other things.

    Alternatively, you can skip the NAT on the pix and let each respective
    router do it's own NAT when the pix sends it a packet. You can also use
    this method in a one interface setup with the PIX. The outside interface of
    the pix could be on a segment (pick a subnet of your choice) with the two
    routers. Use OSPF the same way. However, this is not nearly as flexible as
    the two interface configuration and I don't really recommend this method.

    HTH,

    Mike

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:br2rku$faj$...
    > In article <>,
    > James Parks <> wrote:
    >
    > :I'm trying to figure out how to deploy this. What would you do?
    >
    > :I have two ISP's. I have two routers (2621) that connect to each ISP

    both
    > :gave me 30 routable IPs. I'd like to setup some type of redundant
    > :connection. BGP is out of the question. I understand that failover wont
    > :work from outside coming in, but inside going out can be achieved. The

    PIX
    > :515 I have has 6 interfaces. Should I configure the 2nd ISP on one of

    the
    > :eek:ther interfaces? or get another PIX (506e) and have two default gateways

    w/
    > :policy mapping on my internal router (3640)? Say if ISPA goes down, we

    call
    > :eek:ur clients and they connect to ISPB.
    >
    > "Redundant connection" can mean a number of different things.
    >
    > If you want your inside hosts to be able to get out even if one of the
    > ISPs goes down, then if you have PIX 6.3 you can set up OSPF on the
    > routers to send the PIX floating static routes, each sending the route
    > to its own ISP with high priority and the route to the other ISP with
    > low priority. When an interface goes down, the associated 2621 would
    > stop sending the OSPF route, and the high priority route to that ISP
    > would disappear from inside the PIX, leaving only the low priority route
    > via the other 2621.
    >
    > (You just might be able to do something similar with RIP; I'm not sure.)
    >
    > --
    > Tenser, said the Tensor.
    > Tenser, said the Tensor.
    > Tension, apprehension,
    > And dissension have begun. -- Alfred Bester (tDM)
    Mike Gallagher, Dec 10, 2003
    #4
  5. James Parks

    Bob Smith Guest

    > Thanks for the reply. So you I run a routing protocol between the
    > routers, but I would plug the 2nd router into a third interface of the PIX?
    > I just want to understand you correctly.
    >
    > Regards,


    Just happened to be passing by... I can't address your question but, I
    am reading a book that has coverage of your situation ( two ISP's,
    single points of failure, failover, redundant firewalls etc. ): High
    Availability Networking by Vincent C. Jones. Check out pertinent white
    papers, they may assist in your choices
    (http://www.networkingunlimited.com/whitepapers.html ). These may
    predate the latest updates to the PIX ( OSPF etc. ) but are still
    useful.
    Bob Smith, Dec 10, 2003
    #5
  6. James Parks

    James Parks Guest

    Wow, very good read, Thank you!! I was worried about how I was going to go
    about the natting of the two ISP's in the PIX. ISP1 does have a faster
    connection, it's actually (2 T1's that are CEF bonded). ISP2 is a new one
    we just installed to get away from the single carrier failure. I never
    worked w/ OSPF before so this should be fun.

    Regards,
    Jim



    "Mike Gallagher" <> wrote in message
    news:...
    > Hmm, I think you have the gist of it but he's going to need more. First,
    > you don't "send" floating static
    > routes, but you can change the metric of redistributed static routes via
    > OSPF thereby influencing the preferred route. Second, what is there to
    > send to the PIX besides a default in this case? I don't follow your
    > statement "each sending the route to its own ISP with high priority and

    the
    > route to the other ISP with low priority.". What "route" to its own ISP,
    > default? Doesn't make sense, but it doesn't matter.
    >
    > If all you are looking for is ISP2 to backup ISP1, yes you should use a
    > dynamic protocol, peferrably OSPF in 6.3. You can use two interfaces on

    the
    > PIX if you like. For example ISP1 on the outside interface and ISP2 on
    > another interface you could name "outside2", with security0 (yes, you

    can).
    > I strongly recommend making "outside2" security0 as two interfaces with

    the
    > same security level cannot communicate with each other. This allows for
    > easy isolation of the two ISPs. The outside IP address would be one of

    the
    > 30 from ISP1 and the ethernet on ISP1's router would be another. Same

    with
    > ISP2. Alternatively you can use one pix interface with VLANs but it's a
    > little more straightforward to just use two interfaces. Set a default
    > static on each router pointing to its respective ISP. On the routers,
    > redestribute this static route into OSPF, use a higher metric on ISP2's
    > router to make the default less attractive to the PIX. Or, if you don't
    > care which ISP is primary and which is the backup, just redistribute the
    > route on both with the defaults and let the PIX choose. If the primary

    goes
    > away, you'll have the other one there.
    >
    > You'll then setup a nat for the inside and a global for outside and
    > outside2. For example, to PAT on the IP address of the outside and

    outside2
    > IP addresses, you would use:
    >
    > nat (inside) 1 192.168.0.0 255.255.0.0
    > global (outside) 1 interface
    > global (outside2) 1 interface
    >
    > This would save the rest of your addresses for other things.
    >
    > Alternatively, you can skip the NAT on the pix and let each respective
    > router do it's own NAT when the pix sends it a packet. You can also use
    > this method in a one interface setup with the PIX. The outside interface

    of
    > the pix could be on a segment (pick a subnet of your choice) with the two
    > routers. Use OSPF the same way. However, this is not nearly as flexible

    as
    > the two interface configuration and I don't really recommend this method.
    >
    > HTH,
    >
    > Mike
    >
    > "Walter Roberson" <-cnrc.gc.ca> wrote in message
    > news:br2rku$faj$...
    > > In article <>,
    > > James Parks <> wrote:
    > >
    > > :I'm trying to figure out how to deploy this. What would you do?
    > >
    > > :I have two ISP's. I have two routers (2621) that connect to each ISP

    > both
    > > :gave me 30 routable IPs. I'd like to setup some type of redundant
    > > :connection. BGP is out of the question. I understand that failover

    wont
    > > :work from outside coming in, but inside going out can be achieved. The

    > PIX
    > > :515 I have has 6 interfaces. Should I configure the 2nd ISP on one of

    > the
    > > :eek:ther interfaces? or get another PIX (506e) and have two default

    gateways
    > w/
    > > :policy mapping on my internal router (3640)? Say if ISPA goes down, we

    > call
    > > :eek:ur clients and they connect to ISPB.
    > >
    > > "Redundant connection" can mean a number of different things.
    > >
    > > If you want your inside hosts to be able to get out even if one of the
    > > ISPs goes down, then if you have PIX 6.3 you can set up OSPF on the
    > > routers to send the PIX floating static routes, each sending the route
    > > to its own ISP with high priority and the route to the other ISP with
    > > low priority. When an interface goes down, the associated 2621 would
    > > stop sending the OSPF route, and the high priority route to that ISP
    > > would disappear from inside the PIX, leaving only the low priority route
    > > via the other 2621.
    > >
    > > (You just might be able to do something similar with RIP; I'm not sure.)
    > >
    > > --
    > > Tenser, said the Tensor.
    > > Tenser, said the Tensor.
    > > Tension, apprehension,
    > > And dissension have begun. -- Alfred Bester (tDM)

    >
    >
    James Parks, Dec 11, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dineyar Buhariwala

    Connect 2 routers (wireless and regular routers)

    Dineyar Buhariwala, Nov 22, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    2,580
  2. John
    Replies:
    4
    Views:
    671
    Barry Margolin
    Oct 16, 2004
  3. Chetan
    Replies:
    1
    Views:
    2,559
    Barry Margolin
    Dec 4, 2004
  4. Replies:
    5
    Views:
    5,820
    anilkarthik
    Jul 28, 2008
  5. Replies:
    4
    Views:
    7,882
    Vincent C Jones
    Jun 16, 2006
Loading...

Share This Page