Solved

How to set 2 default gateways in a Cisco PIX 515E firewall ?

Posted on 2004-08-16
9
739 Views
Last Modified: 2013-11-16
I have a Cisco PIX 515E firewall and i would like to set the firewall to have 2 default gateways with some weighting method.  Can this be done? If yes, how? Please provide detailed firewall commands and scripts.
0
Comment
Question by:viansoo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11810631
No can do, my friend.
PIX can have 1 and only 1 default gateway. Remember that it is a firewall. It was built and designed for that one purpose. You're asking it to perform advanced routing functions which are not part of the PIX OS.
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11818347
If both the "gateways" you wish to set up are Cisco routers why not configure them to use HSRP? That way the PIX will send traffic to the one you prefer until it fails. You can use the routers to route and the PIX as a firewall.
0
 

Author Comment

by:viansoo
ID: 11820603
                                        Web Server
                                               |
                                 ________|____
                                           |
                                           |
                                Cisco PIX Firewall
                                        /        \
                                      /            \
                                    /                \
                              Broadband       Cisco
                                Modem          Router
                                    |                   |
                                    |                   |
                                    B                   A

A: Primary connection (leased line) from ISP A
B: Backup connection (broadband) from ISP B
                                     
The default gateway for the PIX firewall is through connection A.  If connection A fails, traffic will be automatically routed to connection B.  What is the best solution for this?
0
Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

 
LVL 79

Accepted Solution

by:
lrmoore earned 150 total points
ID: 11820942
You basically have two options:
1. Get another Ethernet module for your Cisco router A, and connect the broadband modem to it. Use its capabilities for failover routing.
2. Get yet another router that has the failover routing capability and stick it in between the pix and the other two routers.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12092769
Are you still working on this? Do you need more information?
Can you close out this question?
0
 
LVL 3

Expert Comment

by:fatlad
ID: 12110657
As a thought could you not have the router advertise a default route in RIP and then use the PIX with a statically defined floating defualt route (with a higher AD than RIP). When the router stops sending RIP updates the static one will rise to the top.
0
 

Author Comment

by:viansoo
ID: 12196879
Irmoore, you were saying, get an Ethernet module for my router and then connect the broadband modem to it, and use some sort of 'capabilities' for routing.  Can you explain more what these 'capabilities' are?  Tks.
0
 
LVL 3

Expert Comment

by:fatlad
ID: 12198208
If you new setup was:



                                        Web Server
                                               |
                                 ________|____
                                           |
                                           |
                                Cisco PIX Firewall
                                        /        \
                                      /            \
                                    /                \
                                 Cisco            Cisco
                                Router          Router
                                    |                   |
                                    |                   |
                                Modem              A
                                    |
                                    B

You could use a feature know as HSRP (Hot Swap routing protocol) that will allow the routers to create and share a virtual interface which can be used as the defualt gateway for the PIX. More info at: http://www.cisco.com/en/US/tech/tk648/tk362/tk321/tech_protocol_home.html

Hope that helps

FatLad

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12208042
Assuming a Cisco router with both DSL to ISPB and T1 to ISPA, you can use different methods of providing load-sharing/balancing. From using equal-cost default routes with a double-nat approach, to using route-map and creative use of NAT pools/addresses on the PIX. Perhaps something like LAN group A gets NAT IP A and LAN group B gets NAT IP B. On the router end, anything coming out of the PIX with NAT IP A goes to ISPA, anything with NAT IP B goes out to ISPB... Now you will just have to layer a bit more intelligence in the router to know if link to ISPA is down, then all traffic goes out ISPB, and vice versa.
IOS gives you the flexibility to do any/all the above, where PIX is severely limited in its capabilities.

FatLad's suggestion of HSRP will work only if you add another router to the MIX just to connect to the broadband modem, and it will provide failover only, not load-sharing or load-balance. GLBP (Gateway Load Balancing Protocol) is more atune to provide that.. http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801541c8.html

BTW:
HSRP = Hot Standby Router Protocol, not Hot Swap Routing Protocol
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question