• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 750
  • Last Modified:

How to set 2 default gateways in a Cisco PIX 515E firewall ?

I have a Cisco PIX 515E firewall and i would like to set the firewall to have 2 default gateways with some weighting method.  Can this be done? If yes, how? Please provide detailed firewall commands and scripts.
0
viansoo
Asked:
viansoo
  • 4
  • 3
  • 2
1 Solution
 
lrmooreCommented:
No can do, my friend.
PIX can have 1 and only 1 default gateway. Remember that it is a firewall. It was built and designed for that one purpose. You're asking it to perform advanced routing functions which are not part of the PIX OS.
0
 
fatladCommented:
If both the "gateways" you wish to set up are Cisco routers why not configure them to use HSRP? That way the PIX will send traffic to the one you prefer until it fails. You can use the routers to route and the PIX as a firewall.
0
 
viansooAuthor Commented:
                                        Web Server
                                               |
                                 ________|____
                                           |
                                           |
                                Cisco PIX Firewall
                                        /        \
                                      /            \
                                    /                \
                              Broadband       Cisco
                                Modem          Router
                                    |                   |
                                    |                   |
                                    B                   A

A: Primary connection (leased line) from ISP A
B: Backup connection (broadband) from ISP B
                                     
The default gateway for the PIX firewall is through connection A.  If connection A fails, traffic will be automatically routed to connection B.  What is the best solution for this?
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
lrmooreCommented:
You basically have two options:
1. Get another Ethernet module for your Cisco router A, and connect the broadband modem to it. Use its capabilities for failover routing.
2. Get yet another router that has the failover routing capability and stick it in between the pix and the other two routers.
0
 
lrmooreCommented:
Are you still working on this? Do you need more information?
Can you close out this question?
0
 
fatladCommented:
As a thought could you not have the router advertise a default route in RIP and then use the PIX with a statically defined floating defualt route (with a higher AD than RIP). When the router stops sending RIP updates the static one will rise to the top.
0
 
viansooAuthor Commented:
Irmoore, you were saying, get an Ethernet module for my router and then connect the broadband modem to it, and use some sort of 'capabilities' for routing.  Can you explain more what these 'capabilities' are?  Tks.
0
 
fatladCommented:
If you new setup was:



                                        Web Server
                                               |
                                 ________|____
                                           |
                                           |
                                Cisco PIX Firewall
                                        /        \
                                      /            \
                                    /                \
                                 Cisco            Cisco
                                Router          Router
                                    |                   |
                                    |                   |
                                Modem              A
                                    |
                                    B

You could use a feature know as HSRP (Hot Swap routing protocol) that will allow the routers to create and share a virtual interface which can be used as the defualt gateway for the PIX. More info at: http://www.cisco.com/en/US/tech/tk648/tk362/tk321/tech_protocol_home.html

Hope that helps

FatLad

0
 
lrmooreCommented:
Assuming a Cisco router with both DSL to ISPB and T1 to ISPA, you can use different methods of providing load-sharing/balancing. From using equal-cost default routes with a double-nat approach, to using route-map and creative use of NAT pools/addresses on the PIX. Perhaps something like LAN group A gets NAT IP A and LAN group B gets NAT IP B. On the router end, anything coming out of the PIX with NAT IP A goes to ISPA, anything with NAT IP B goes out to ISPB... Now you will just have to layer a bit more intelligence in the router to know if link to ISPA is down, then all traffic goes out ISPB, and vice versa.
IOS gives you the flexibility to do any/all the above, where PIX is severely limited in its capabilities.

FatLad's suggestion of HSRP will work only if you add another router to the MIX just to connect to the broadband modem, and it will provide failover only, not load-sharing or load-balance. GLBP (Gateway Load Balancing Protocol) is more atune to provide that.. http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801541c8.html

BTW:
HSRP = Hot Standby Router Protocol, not Hot Swap Routing Protocol
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now