Discussion in 'Cisco' started by Alex, Aug 23, 2004.

  1. Alex

    Alex Guest

    I know that many people have asked the very same question and
    they got stuck on the big Cisco pix LIMITATION to have just one and
    default route.

    I've got 3 different link from 3 different ISPs (BGP is not possible
    to ask, Italian way of working/brain limitation)
    Each link ends on a Router I cannot touch nor I cannot have someone to
    configure it for me.
    That is:
    3 routers 3 Internet connection, no way to change a line in any router

    Then I have a PIX with 6 interfaces..
    I have a LAN, a DMZ and one main Internet connection (outside)
    [default route on one of the above mentioned Internet Router]
    and on the same outside interface I have a VPN tunnel with our Global
    Head Quarter.

    Now (I know you've been expeting that question)
    I have other 2 Internet links not in use,
    I'd love to connect one on interface4 of the PIX
    and the other to interface5 of the PIX

    Interface4 should be used for VPN Road Warriors
    Interface5 should be used for a Tunnel with our branch office
    Road Warriors and Users of the branch office should be able to connect
    to the Head Quarter using and routing packets through the main tunnel
    (outside interface)
    [YES I know what you might think, but I cannot change the PIX with a
    VPN concentrator]

    Interface4 and 5 should have IP addresses because I have 2 Internet
    But if I can have only one default route... I cannot imagine how this
    could work..

    Of course I can buy another PIX, maybe a 506E and use one link for VPN
    road warriors, and plaing a bit with routing I can have the Tunnel on
    interface5 working..

    Any other suggestion?

    Thanks in advance
    Alex, Aug 23, 2004
  2. Alex

    PES Guest

    I don't think this will be possible, due to esp and isakmp packets
    going out default route.
    That should be no problem. You can put a host route in for the remote
    endpoint and a network route to the same dg for the network. This will
    get it to the interface, encrypted and on its way. Just make sure that
    you use the desired isp's gateway.

    route (outside) remote-endpoint isp'sgateway
    route (outside) remote-subnet isp'sgateway
    Another PIX would only help you if you also have a router there somewhere
    that could redirect the traffic for the road warriors ip address to the
    PES, Aug 24, 2004
  3. well, one option is to add a real router in front of the PIX, the your
    issues are all gone, and just a matter of config of the router.
    The router needs to be a big one to handle all the traffic in realtime
    without dropouts.
    But your speeds are not listed.

    But some quad fastethernet router or mayde a layer-3 switch will do the

    Martin Bilgrav, Aug 24, 2004
  4. Alex

    Alex Guest

    A PIX can forward can't it?
    If I put static routes on PIX1 and on PIX2, can I make it without an
    internal router?


    LAN is 10.1.1/24
    VPN Road warriors is 10.1.2/24 (they use PIX2)

    PIX1 inside ip is
    PIX2 inside ip is (same LAN)

    on PIX1 I put a route for 10.1.2/24 (VPN Road Warriors) with gw PIX2
    on PIX2 I put a route for 10.1.1/24 (LAN) with gw PIX1

    Alex, Aug 24, 2004
  5. Alex

    PES Guest

    That will not work. If your internal hosts point to for the gw
    they will never get redirected to The only way you could get this
    to work is if you put the pix's in series instead of parallel. Then you
    would have to create some interesting looking and potentially dangerous
    access-lists in the internal pix.

    ,-' ``._
    ,' \
    ,-----. ,---. | Internet |
    ( PIX1 )........(Pix2 )------------` /
    `-----' `---' `._ ,'
    PES, Aug 25, 2004
