Solved

How to set 2 default gateways in a Cisco PIX 515E firewall ?

Posted on 2004-08-16
9
735 Views
Last Modified: 2013-11-16
I have a Cisco PIX 515E firewall and i would like to set the firewall to have 2 default gateways with some weighting method.  Can this be done? If yes, how? Please provide detailed firewall commands and scripts.
0
Comment
Question by:viansoo
  • 4
  • 3
  • 2
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11810631
No can do, my friend.
PIX can have 1 and only 1 default gateway. Remember that it is a firewall. It was built and designed for that one purpose. You're asking it to perform advanced routing functions which are not part of the PIX OS.
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11818347
If both the "gateways" you wish to set up are Cisco routers why not configure them to use HSRP? That way the PIX will send traffic to the one you prefer until it fails. You can use the routers to route and the PIX as a firewall.
0
 

Author Comment

by:viansoo
ID: 11820603
                                        Web Server
                                               |
                                 ________|____
                                           |
                                           |
                                Cisco PIX Firewall
                                        /        \
                                      /            \
                                    /                \
                              Broadband       Cisco
                                Modem          Router
                                    |                   |
                                    |                   |
                                    B                   A

A: Primary connection (leased line) from ISP A
B: Backup connection (broadband) from ISP B
                                     
The default gateway for the PIX firewall is through connection A.  If connection A fails, traffic will be automatically routed to connection B.  What is the best solution for this?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 79

Accepted Solution

by:
lrmoore earned 150 total points
ID: 11820942
You basically have two options:
1. Get another Ethernet module for your Cisco router A, and connect the broadband modem to it. Use its capabilities for failover routing.
2. Get yet another router that has the failover routing capability and stick it in between the pix and the other two routers.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12092769
Are you still working on this? Do you need more information?
Can you close out this question?
0
 
LVL 3

Expert Comment

by:fatlad
ID: 12110657
As a thought could you not have the router advertise a default route in RIP and then use the PIX with a statically defined floating defualt route (with a higher AD than RIP). When the router stops sending RIP updates the static one will rise to the top.
0
 

Author Comment

by:viansoo
ID: 12196879
Irmoore, you were saying, get an Ethernet module for my router and then connect the broadband modem to it, and use some sort of 'capabilities' for routing.  Can you explain more what these 'capabilities' are?  Tks.
0
 
LVL 3

Expert Comment

by:fatlad
ID: 12198208
If you new setup was:



                                        Web Server
                                               |
                                 ________|____
                                           |
                                           |
                                Cisco PIX Firewall
                                        /        \
                                      /            \
                                    /                \
                                 Cisco            Cisco
                                Router          Router
                                    |                   |
                                    |                   |
                                Modem              A
                                    |
                                    B

You could use a feature know as HSRP (Hot Swap routing protocol) that will allow the routers to create and share a virtual interface which can be used as the defualt gateway for the PIX. More info at: http://www.cisco.com/en/US/tech/tk648/tk362/tk321/tech_protocol_home.html

Hope that helps

FatLad

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12208042
Assuming a Cisco router with both DSL to ISPB and T1 to ISPA, you can use different methods of providing load-sharing/balancing. From using equal-cost default routes with a double-nat approach, to using route-map and creative use of NAT pools/addresses on the PIX. Perhaps something like LAN group A gets NAT IP A and LAN group B gets NAT IP B. On the router end, anything coming out of the PIX with NAT IP A goes to ISPA, anything with NAT IP B goes out to ISPB... Now you will just have to layer a bit more intelligence in the router to know if link to ISPA is down, then all traffic goes out ISPB, and vice versa.
IOS gives you the flexibility to do any/all the above, where PIX is severely limited in its capabilities.

FatLad's suggestion of HSRP will work only if you add another router to the MIX just to connect to the broadband modem, and it will provide failover only, not load-sharing or load-balance. GLBP (Gateway Load Balancing Protocol) is more atune to provide that.. http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801541c8.html

BTW:
HSRP = Hot Standby Router Protocol, not Hot Swap Routing Protocol
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question