Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


PIX outside interface with two ISP's, policy based routing and full redundancy? Can this be done?

Posted on 2004-03-22
Medium Priority
Last Modified: 2010-05-18

I've got the following scenario:

My Pix 515 outside interface is connected to a switch, on which I have two routers, each going to a different ISP.  Lets call them ISP1 and ISP2.

ISP 1 is for all traffic except mail, ISP 2 is only for mail.

The two ISP routers run HSRP, the default route on the PIX is pointing to that HSRP IP.

On the ISP1 router I have installed policy based routing, which sets the next hop for all traffic comming from the mail server (which is situated inside the DMZ2) to the ISP2 router.

The mail server is in DMZ2, the Web Server is in DMZ1.

I am using static translations for the Mail and Web server to translate them into the private address space of the outside, and then again NAT on the IPS 1 and ISP 2 router to translate the addresses to their public addresses, visable on the net.

I have a problem now creating a full redundant scenario:

If ISP 1 router fails,  no problem, all traffic will be directed from the PIX to the HSRP address and ISP 2 router takes over and all traffic will go via ISP 2 router.  
If the IPS 1 service provider or line fails, also no problem, all traffic will be directed from the PIX to the HSRP address and ISP 2 router takes over and all traffic will go via ISP 2.

But I have a problem if the ISP2 router fails, because the policy based routing on ISP1 router will still try to send all mail packets via ISP 2 router and they will be dropped.
I could install another router, make him and the ISP2 router part of another HSRP group and have a separate line to the ISP 2, so I can do away with ISP 2 router as a single point of failure, but if the ISP 2 line or service provider fails (not the router but the actual ISP is down), I land up with the same problem.  Mail will only go out via ISP 1 router if I change the config file and remove the policy that sends mail to the ISP 2 router.

Any Idea how I can create a scenario with 2 routers, policy based routing and HSRP on the outside PIX interface that will give me full redundancy?

Question by:ChristianeD

Expert Comment

ID: 10653781
PIX will not do what you are attempting.......because it will only allow for a single default route...
Load balance through a router send all packets to that router and let the router deturmine which line is up or down....
GOod Luck
LVL 79

Expert Comment

ID: 10654168
So many have tried and failed. <sigh>
Agree with hawgpig.

Your best bet may be to run OSPF between the two routers and the PIX. However, the PIX still will not have the capability to send specific type traffic (mail) to one gateway vs the other.

You can use a 3d router to do that with route-maps, but that injects a new single point of failure which you are trying to avoid with the dual router/hsrp thing..

I don't think you will ever achieve dynamic redundancy with the policy based routing where you have chosen to send all email out only one ISP.

You might also want to look into Gateway Load Balancing Protocol vs HSRP...

Expert Comment

ID: 10663942
There are also third party devices to help accomplish what you are trying, FatPipe, RadWare and others.  Usually, they offer other services and may be limited by bandwidth they allow through.  A side benefit is that some allow you access to bandwidth from both connections, rather than just failover.

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 79

Expert Comment

ID: 10682211
Take a look at what we did here and see it it might give you some ideas about using route-maps on one of the routers...



Author Comment

ID: 10684839
Hi, I've looked at Q 20930992 and it looks very much like the scenario that we are dealing with. Our first design was also utilizing a 2620 router, but this creates a single point of failure.  My challange is that I want to create a redundant scenario, where one router or one ISP fails, the other router/ISP will deal with all traffic.
IT will be some time before we will implement, we are still in the design stage (gathering ideas).  

I was thinking of testing the following for the scenario of router 2 being down:

access-list 101 permit tcp host x.x.x.x any eq smtp

route-map MAIL permit 20
 match address 101
 set ip next-hop  x.x.x.x <<--  LAN interface of ISP2 router

route-map MAIL permit 21
 match address 101
 set default interface serial 0/0  <-- interface to ISP1

If router 2 (for ISP2) is down, it might take the second statement sending smtp packets to the serial interface on the same router.  But I suspect, that before it does that, it will hit the first route-map statement and send the packet out to the second router, which is down, so the packet does not get there.  It will never go to the second route-map statement because it does not test the validity of the action to be taken.

Am I right here?

LVL 79

Accepted Solution

lrmoore earned 1500 total points
ID: 10686863
No, it won't take the 2nd statement because it matched the first and will always match the first, regardless of the status of the other router.

This is one reason that I would not recommend this solution for you. There is no failover/redundency. If the next-hop is down, the packets die.

The best scenario is to use OSPF on both routers and the PIX, let both routers generate default information. This gives you dynamic failover, but not necessarily load balancing or load-sharing. If you want load-sharing, put both T1's in the same router. If you're worried about the router going down, add a "hot spare" router that has all the config and modules, and just swap the T1 cables if it goes down.
Else, get a router with dual power supplies, perhaps a 3725.
GLBP may work for you with two routers, I have not tried it. It gives the appearance of one IP address as the default for the PIX like HSRP, but actually does some load-sharing.

Expert Comment

ID: 10696985
One of the nice things about the "set ip next-hop" statement is that the IP you route it to does not have to be directly connected.  What you can do is setup EIGRP between your two routers, having router 2 advertize its serial network to router 1.  Set the next-hop in your route-map to the serial IP on router 2.  When router 2 and its serial line are both up, router 1 will route packets matching the route-map to it.  If either should fail, EIGRP drops the route which makes the IP match your default gateway thus sending the traffic to ISP 1.

LVL 79

Expert Comment

ID: 10807696
Are you still working on this? Do you need more information?

Author Comment

ID: 10821652
Hi, unfortunately the implementation of the above scenario has been delayed.  I've also indicated to the customer that a fully redundant setup + policy based routing will not be possible.  The customer is now rethinking his requirements.

I feel confident that with your input I will be able to set up the PIX and the two routers so that I get a load-balancing, redundant scenario, although policy based routing will be a no-no.

I've also been thinking that a second LAN port on ISP router 1, that is shut down but exactly configured the way the other LAN port ist configured, except the policy based routing to ISP router 2 has been omitted.  It would act like your suggested "hot spare" router.  In case of a failure, the user can plug his LAN into the second LAN port, issue the "no shutdown" command and all mail will go via ISP1.


Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question