We help IT Professionals succeed at work.

PIX outside interface with two ISP's, policy based routing and full redundancy? Can this be done?

ChristianeD asked
Last Modified: 2010-05-18

I've got the following scenario:

My Pix 515 outside interface is connected to a switch, on which I have two routers, each going to a different ISP.  Lets call them ISP1 and ISP2.

ISP 1 is for all traffic except mail, ISP 2 is only for mail.

The two ISP routers run HSRP, the default route on the PIX is pointing to that HSRP IP.

On the ISP1 router I have installed policy based routing, which sets the next hop for all traffic comming from the mail server (which is situated inside the DMZ2) to the ISP2 router.

The mail server is in DMZ2, the Web Server is in DMZ1.

I am using static translations for the Mail and Web server to translate them into the private address space of the outside, and then again NAT on the IPS 1 and ISP 2 router to translate the addresses to their public addresses, visable on the net.

I have a problem now creating a full redundant scenario:

If ISP 1 router fails,  no problem, all traffic will be directed from the PIX to the HSRP address and ISP 2 router takes over and all traffic will go via ISP 2 router.  
If the IPS 1 service provider or line fails, also no problem, all traffic will be directed from the PIX to the HSRP address and ISP 2 router takes over and all traffic will go via ISP 2.

But I have a problem if the ISP2 router fails, because the policy based routing on ISP1 router will still try to send all mail packets via ISP 2 router and they will be dropped.
I could install another router, make him and the ISP2 router part of another HSRP group and have a separate line to the ISP 2, so I can do away with ISP 2 router as a single point of failure, but if the ISP 2 line or service provider fails (not the router but the actual ISP is down), I land up with the same problem.  Mail will only go out via ISP 1 router if I change the config file and remove the policy that sends mail to the ISP 2 router.

Any Idea how I can create a scenario with 2 routers, policy based routing and HSRP on the outside PIX interface that will give me full redundancy?

Watch Question

PIX will not do what you are attempting.......because it will only allow for a single default route...
Load balance through a router send all packets to that router and let the router deturmine which line is up or down....
GOod Luck
Les MooreSr. Systems Engineer
Top Expert 2008

So many have tried and failed. <sigh>
Agree with hawgpig.

Your best bet may be to run OSPF between the two routers and the PIX. However, the PIX still will not have the capability to send specific type traffic (mail) to one gateway vs the other.

You can use a 3d router to do that with route-maps, but that injects a new single point of failure which you are trying to avoid with the dual router/hsrp thing..

I don't think you will ever achieve dynamic redundancy with the policy based routing where you have chosen to send all email out only one ISP.

You might also want to look into Gateway Load Balancing Protocol vs HSRP...

There are also third party devices to help accomplish what you are trying, FatPipe, RadWare and others.  Usually, they offer other services and may be limited by bandwidth they allow through.  A side benefit is that some allow you access to bandwidth from both connections, rather than just failover.

Les MooreSr. Systems Engineer
Top Expert 2008

Take a look at what we did here and see it it might give you some ideas about using route-maps on one of the routers...



Hi, I've looked at Q 20930992 and it looks very much like the scenario that we are dealing with. Our first design was also utilizing a 2620 router, but this creates a single point of failure.  My challange is that I want to create a redundant scenario, where one router or one ISP fails, the other router/ISP will deal with all traffic.
IT will be some time before we will implement, we are still in the design stage (gathering ideas).  

I was thinking of testing the following for the scenario of router 2 being down:

access-list 101 permit tcp host x.x.x.x any eq smtp

route-map MAIL permit 20
 match address 101
 set ip next-hop  x.x.x.x <<--  LAN interface of ISP2 router

route-map MAIL permit 21
 match address 101
 set default interface serial 0/0  <-- interface to ISP1

If router 2 (for ISP2) is down, it might take the second statement sending smtp packets to the serial interface on the same router.  But I suspect, that before it does that, it will hit the first route-map statement and send the packet out to the second router, which is down, so the packet does not get there.  It will never go to the second route-map statement because it does not test the validity of the action to be taken.

Am I right here?

Sr. Systems Engineer
Top Expert 2008
Unlock this solution and get a sample of our free trial.
(No credit card required)
One of the nice things about the "set ip next-hop" statement is that the IP you route it to does not have to be directly connected.  What you can do is setup EIGRP between your two routers, having router 2 advertize its serial network to router 1.  Set the next-hop in your route-map to the serial IP on router 2.  When router 2 and its serial line are both up, router 1 will route packets matching the route-map to it.  If either should fail, EIGRP drops the route which makes the IP match your default gateway thus sending the traffic to ISP 1.

Les MooreSr. Systems Engineer
Top Expert 2008

Are you still working on this? Do you need more information?


Hi, unfortunately the implementation of the above scenario has been delayed.  I've also indicated to the customer that a fully redundant setup + policy based routing will not be possible.  The customer is now rethinking his requirements.

I feel confident that with your input I will be able to set up the PIX and the two routers so that I get a load-balancing, redundant scenario, although policy based routing will be a no-no.

I've also been thinking that a second LAN port on ISP router 1, that is shut down but exactly configured the way the other LAN port ist configured, except the policy based routing to ISP router 2 has been omitted.  It would act like your suggested "hot spare" router.  In case of a failure, the user can plug his LAN into the second LAN port, issue the "no shutdown" command and all mail will go via ISP1.

Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.