Solved

How to set 2 default gateways in a Cisco PIX 515E firewall ?

Posted on 2004-08-16
9
734 Views
Last Modified: 2013-11-16
I have a Cisco PIX 515E firewall and i would like to set the firewall to have 2 default gateways with some weighting method.  Can this be done? If yes, how? Please provide detailed firewall commands and scripts.
0
Comment
Question by:viansoo
  • 4
  • 3
  • 2
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11810631
No can do, my friend.
PIX can have 1 and only 1 default gateway. Remember that it is a firewall. It was built and designed for that one purpose. You're asking it to perform advanced routing functions which are not part of the PIX OS.
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11818347
If both the "gateways" you wish to set up are Cisco routers why not configure them to use HSRP? That way the PIX will send traffic to the one you prefer until it fails. You can use the routers to route and the PIX as a firewall.
0
 

Author Comment

by:viansoo
ID: 11820603
                                        Web Server
                                               |
                                 ________|____
                                           |
                                           |
                                Cisco PIX Firewall
                                        /        \
                                      /            \
                                    /                \
                              Broadband       Cisco
                                Modem          Router
                                    |                   |
                                    |                   |
                                    B                   A

A: Primary connection (leased line) from ISP A
B: Backup connection (broadband) from ISP B
                                     
The default gateway for the PIX firewall is through connection A.  If connection A fails, traffic will be automatically routed to connection B.  What is the best solution for this?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 150 total points
ID: 11820942
You basically have two options:
1. Get another Ethernet module for your Cisco router A, and connect the broadband modem to it. Use its capabilities for failover routing.
2. Get yet another router that has the failover routing capability and stick it in between the pix and the other two routers.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12092769
Are you still working on this? Do you need more information?
Can you close out this question?
0
 
LVL 3

Expert Comment

by:fatlad
ID: 12110657
As a thought could you not have the router advertise a default route in RIP and then use the PIX with a statically defined floating defualt route (with a higher AD than RIP). When the router stops sending RIP updates the static one will rise to the top.
0
 

Author Comment

by:viansoo
ID: 12196879
Irmoore, you were saying, get an Ethernet module for my router and then connect the broadband modem to it, and use some sort of 'capabilities' for routing.  Can you explain more what these 'capabilities' are?  Tks.
0
 
LVL 3

Expert Comment

by:fatlad
ID: 12198208
If you new setup was:



                                        Web Server
                                               |
                                 ________|____
                                           |
                                           |
                                Cisco PIX Firewall
                                        /        \
                                      /            \
                                    /                \
                                 Cisco            Cisco
                                Router          Router
                                    |                   |
                                    |                   |
                                Modem              A
                                    |
                                    B

You could use a feature know as HSRP (Hot Swap routing protocol) that will allow the routers to create and share a virtual interface which can be used as the defualt gateway for the PIX. More info at: http://www.cisco.com/en/US/tech/tk648/tk362/tk321/tech_protocol_home.html

Hope that helps

FatLad

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12208042
Assuming a Cisco router with both DSL to ISPB and T1 to ISPA, you can use different methods of providing load-sharing/balancing. From using equal-cost default routes with a double-nat approach, to using route-map and creative use of NAT pools/addresses on the PIX. Perhaps something like LAN group A gets NAT IP A and LAN group B gets NAT IP B. On the router end, anything coming out of the PIX with NAT IP A goes to ISPA, anything with NAT IP B goes out to ISPB... Now you will just have to layer a bit more intelligence in the router to know if link to ISPA is down, then all traffic goes out ISPB, and vice versa.
IOS gives you the flexibility to do any/all the above, where PIX is severely limited in its capabilities.

FatLad's suggestion of HSRP will work only if you add another router to the MIX just to connect to the broadband modem, and it will provide failover only, not load-sharing or load-balance. GLBP (Gateway Load Balancing Protocol) is more atune to provide that.. http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801541c8.html

BTW:
HSRP = Hot Standby Router Protocol, not Hot Swap Routing Protocol
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now