Multiple Inputs for PIX firewall??

I have a Cisco2600 router and I have recently added and configured a new Serial Card with a T1 into it.  

I have one T1 in serial0/0 bound to Ethernet0/0  and one T1 in serial0/1:0 bound to Ethernet0/1

My question is...

  Now that I have two output lines from my router and only one input to my PIX firewall, do I need to add a card to the pix to allow for another input, put a switch between the router and pix, or something all together different.

Thanks
Rowdyone52Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
It sort of depends on what you want to do with this 2nd T1.
The problem here is that the pix can only have 1 default gateway no matter how many interfaces you put in it.
Depending on what your goal is, you may be better off using just one Ethernet port on the router.
0
Rowdyone52Author Commented:
I have a 515PIX btw...

I shouldnt have a big problem with the single gateway limitation.  This is an interim solution.  We currently have 1 ISP for 1 T1 and another for the second.

I just need to have traffic come in the current T1 and go out the new T1.

In a few months the lines will become bonded T1's from one ISP only.  

For the 515 is there just a card I can add?
0
lrmooreCommented:
Yes, it is a PCI NIC
Part # PIX-1FE

I must say that this makes not sense whatsoever:
  >need to have traffic come in the current T1 and go out the new T1.
It does not work that way.

You are intentionally trying to create a routing loop? Have you thought through this whole scenario of using different IP addresses from different ISP's ?

0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Rowdyone52Author Commented:
I need advise, thats why im asking.  I know the 2600 side, I dont know PIX that well.
0
Rowdyone52Author Commented:
different IP addresses from different ISP's is only till dec.
0
lrmooreCommented:
So for now you have two different T1's from 2 different ISPs, and you want to do what?
Load share?
Load balance?
Failover?
Do you host any public servers, like smtp mail, www, ftp? They have static nat maps to public ip's from where? ISP#1?
Who controls your public DNS? When you make the permanent change to the new ISP you have to change all of these.

My suggestion would be to use a single Ethernet interface on the router, single default gateway on the PIX as you have it now. No reason to get another interface card for the PIX. Just use the advanced routing functions of the router (route-map, floating statics, whatever) to handle the traffic flow.

Can you explain this statement:
  > have one T1 in serial0/0 bound to Ethernet0/0  and one T1 in serial0/1:0 bound to Ethernet0/1
What is your definition of "binding" a serial to an ethernet? The only ways I know of are to use "ip unnumbered Ethernet x/x" on the serial interface, or bridge the two interfaces. If neither of these apply, then please explain so that I get a better understanding of your router setup. Else post the router config..
0
Rowdyone52Author Commented:
Basically its an interim solution that I have been asked to produce.

We will have two ISP's until dec 18th.  We basically want to get the new t1 online and use it since were paying for it.. Then Dec we will move all of our DNS entries over to the new IP range and drop the first T1 and add a bonded t1 from the same ISP.

Below is my configuration.  Please give any suggestions on how to configure for the PIX, also if you see any Problems please point them out. We are having some issues with the Serial0/1:0 being up and line protocol going down.  IOS version is 12.0(7)T

-------------------------------------------------------------------------------------------------------------------------------------------------------------------
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ***
!
no logging console
enable password 7 ***
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
isdn voice-call-failure 0
!
!
!
!
controller T1 0/1
 framing esf
 channel-group 0 timeslots 1-24 speed 64
!
controller T1 0/2
 shutdown
!
!
!
!
!
interface Ethernet0/0
 description connected to EthernetLAN
 ip address 207.203.135.1 255.255.255.224
 no ip directed-broadcast
 ip policy route-map Internet-route
!
interface Serial0/0
 description connected to Internet
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 service-module t1 remote-alarm-enable
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 description connected to Internet
 ip address 172.23.158.38 255.255.255.252
 no ip directed-broadcast
 frame-relay interface-dlci 566 IETF  
!
interface Ethernet0/1
 ip address 206.113.87.33 255.255.255.240
 no ip directed-broadcast
!
interface Serial0/1:0
 bandwidth 1536
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0/1:0.1 point-to-point
 bandwidth 1536
 ip unnumbered Ethernet0/1
 no ip directed-broadcast
 frame-relay interface-dlci 500 IETF  
!
router rip
 version 2
 passive-interface Serial0/0.1
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1:0.1
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 0.0.0.0 0.0.0.0 172.23.158.37
no ip http server
!
access-list 10 permit 198.143.193.128 0.0.0.63
access-list 20 permit 64.105.241.88 0.0.0.7
route-map Internet-route permit 10
 match ip address 10
 set ip next-hop 208.247.7.222
!
route-map Internet-route permit 20
 match ip address 20
 set ip next-hop 64.105.241.89
!
snmp-server engineID local 00000009020000024B44DEA0
!
line con 0
 exec-timeout 0 0
 password 7 ***
 login
 transport input none
line aux 0
line vty 0 4
 password 7 ***
 login
!
end
0
lrmooreCommented:
Sorry for the delayed response...
You're on the right track with the route-maps, but the problem still lies with the PIX. It can only have one single default gateway.

First, all three of your default routes are same cost. This is not suggested in your case:
>  ip route 0.0.0.0 0.0.0.0 Serial0/1:0.1
>  ip route 0.0.0.0 0.0.0.0 Serial0/0
>  ip route 0.0.0.0 0.0.0.0 172.23.158.37

Please drop 2 of the three. Suggest keeping only this one, if it points to your current ISP:
  >  ip route 0.0.0.0 0.0.0.0 172.23.158.37

Add a 2nd one to the new isp, with a higher cost:
    ip route 0.0.0.0 0.0.0.0 Serial0/1:0.1 100
 OR:
    ip route 0.0.0.0 0.0.0.0 65.105.241.89 100  <== assuming this was provided by ISP2

This is what I would do, using only one Ethernet port to the PIX FW:
!
interface Ethernet0/0
  description to PIX FW
  ip address 207.203.135.1 255.255.255.224
  ip nat inside
  ip policy route-map Internet-route
!
interface Ethernet0/1
 shutdown
!
interface Serial0/1:0.1 point-to-point
 bandwidth 1536
 ip nat outside
 ip address 206.113.87.33 255.255.255.240
or:
  ip address 64.105.241.90 255.255.255.252
 no ip directed-broadcast
 frame-relay interface-dlci 500 IETF  
!
access-list 110 permit ip <group 2 global> <mask> any
ip nat inside source route-map NEWISP interface Serial0/1:0.1 overload
route-map NEWISP permit 10
 match ip address 110
!

!
access-list 10 remark PIX global group 1
access-list 10 permit 198.143.193.128 0.0.0.31
access-list 20 remark PIX global group 2
access-list 20 permit 198.143.193.160 0.0.0.31
!
route-map Internet-route permit 10
 match ip address 10
 set ip next-hop 208.247.7.222
!
route-map Internet-route permit 20
 match ip address 20
 set default interface serial0/1:0.1
!

On the PIX, you would set up two separate global pools, and separate the internal users into two groups to use the indpendent pools:
  global (outside) 1 198.143.193.130-198.143.193.157 netmask 255.255.255.224
  global (outside) 1 198.143.193.158
  global (outside) 2 198.143.193.161-198.143.193.189 netmask 255.255.255.224
  global (outside) 2 198.143.193.190
  nat (inside) 1 192.168.100.0 255.255.255.128
  nat (inside) 2 192.168.100.128 255.255.255.128
!

Nat 1 users go out the PIX, hit the router and go out the current ISP1 T1
Nat 2 users go out the PIX with a different global, hit the router, route-map says set interface Serial, which has NAT rule attached, nat rule only applies to this particular source IP, and sends it on its merry way to ISP2



0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.