Rowdyone52
asked on
Multiple Inputs for PIX firewall??
I have a Cisco2600 router and I have recently added and configured a new Serial Card with a T1 into it.
I have one T1 in serial0/0 bound to Ethernet0/0 and one T1 in serial0/1:0 bound to Ethernet0/1
My question is...
Now that I have two output lines from my router and only one input to my PIX firewall, do I need to add a card to the pix to allow for another input, put a switch between the router and pix, or something all together different.
Thanks
I have one T1 in serial0/0 bound to Ethernet0/0 and one T1 in serial0/1:0 bound to Ethernet0/1
My question is...
Now that I have two output lines from my router and only one input to my PIX firewall, do I need to add a card to the pix to allow for another input, put a switch between the router and pix, or something all together different.
Thanks
ASKER
I have a 515PIX btw...
I shouldnt have a big problem with the single gateway limitation. This is an interim solution. We currently have 1 ISP for 1 T1 and another for the second.
I just need to have traffic come in the current T1 and go out the new T1.
In a few months the lines will become bonded T1's from one ISP only.
For the 515 is there just a card I can add?
I shouldnt have a big problem with the single gateway limitation. This is an interim solution. We currently have 1 ISP for 1 T1 and another for the second.
I just need to have traffic come in the current T1 and go out the new T1.
In a few months the lines will become bonded T1's from one ISP only.
For the 515 is there just a card I can add?
Yes, it is a PCI NIC
Part # PIX-1FE
I must say that this makes not sense whatsoever:
>need to have traffic come in the current T1 and go out the new T1.
It does not work that way.
You are intentionally trying to create a routing loop? Have you thought through this whole scenario of using different IP addresses from different ISP's ?
Part # PIX-1FE
I must say that this makes not sense whatsoever:
>need to have traffic come in the current T1 and go out the new T1.
It does not work that way.
You are intentionally trying to create a routing loop? Have you thought through this whole scenario of using different IP addresses from different ISP's ?
ASKER
I need advise, thats why im asking. I know the 2600 side, I dont know PIX that well.
ASKER
different IP addresses from different ISP's is only till dec.
So for now you have two different T1's from 2 different ISPs, and you want to do what?
Load share?
Load balance?
Failover?
Do you host any public servers, like smtp mail, www, ftp? They have static nat maps to public ip's from where? ISP#1?
Who controls your public DNS? When you make the permanent change to the new ISP you have to change all of these.
My suggestion would be to use a single Ethernet interface on the router, single default gateway on the PIX as you have it now. No reason to get another interface card for the PIX. Just use the advanced routing functions of the router (route-map, floating statics, whatever) to handle the traffic flow.
Can you explain this statement:
> have one T1 in serial0/0 bound to Ethernet0/0 and one T1 in serial0/1:0 bound to Ethernet0/1
What is your definition of "binding" a serial to an ethernet? The only ways I know of are to use "ip unnumbered Ethernet x/x" on the serial interface, or bridge the two interfaces. If neither of these apply, then please explain so that I get a better understanding of your router setup. Else post the router config..
Load share?
Load balance?
Failover?
Do you host any public servers, like smtp mail, www, ftp? They have static nat maps to public ip's from where? ISP#1?
Who controls your public DNS? When you make the permanent change to the new ISP you have to change all of these.
My suggestion would be to use a single Ethernet interface on the router, single default gateway on the PIX as you have it now. No reason to get another interface card for the PIX. Just use the advanced routing functions of the router (route-map, floating statics, whatever) to handle the traffic flow.
Can you explain this statement:
> have one T1 in serial0/0 bound to Ethernet0/0 and one T1 in serial0/1:0 bound to Ethernet0/1
What is your definition of "binding" a serial to an ethernet? The only ways I know of are to use "ip unnumbered Ethernet x/x" on the serial interface, or bridge the two interfaces. If neither of these apply, then please explain so that I get a better understanding of your router setup. Else post the router config..
ASKER
Basically its an interim solution that I have been asked to produce.
We will have two ISP's until dec 18th. We basically want to get the new t1 online and use it since were paying for it.. Then Dec we will move all of our DNS entries over to the new IP range and drop the first T1 and add a bonded t1 from the same ISP.
Below is my configuration. Please give any suggestions on how to configure for the PIX, also if you see any Problems please point them out. We are having some issues with the Serial0/1:0 being up and line protocol going down. IOS version is 12.0(7)T
--------------------------
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ***
!
no logging console
enable password 7 ***
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
isdn voice-call-failure 0
!
!
!
!
controller T1 0/1
framing esf
channel-group 0 timeslots 1-24 speed 64
!
controller T1 0/2
shutdown
!
!
!
!
!
interface Ethernet0/0
description connected to EthernetLAN
ip address 207.203.135.1 255.255.255.224
no ip directed-broadcast
ip policy route-map Internet-route
!
interface Serial0/0
description connected to Internet
no ip address
no ip directed-broadcast
encapsulation frame-relay
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description connected to Internet
ip address 172.23.158.38 255.255.255.252
no ip directed-broadcast
frame-relay interface-dlci 566 IETF
!
interface Ethernet0/1
ip address 206.113.87.33 255.255.255.240
no ip directed-broadcast
!
interface Serial0/1:0
bandwidth 1536
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/1:0.1 point-to-point
bandwidth 1536
ip unnumbered Ethernet0/1
no ip directed-broadcast
frame-relay interface-dlci 500 IETF
!
router rip
version 2
passive-interface Serial0/0.1
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1:0.1
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 0.0.0.0 0.0.0.0 172.23.158.37
no ip http server
!
access-list 10 permit 198.143.193.128 0.0.0.63
access-list 20 permit 64.105.241.88 0.0.0.7
route-map Internet-route permit 10
match ip address 10
set ip next-hop 208.247.7.222
!
route-map Internet-route permit 20
match ip address 20
set ip next-hop 64.105.241.89
!
snmp-server engineID local 00000009020000024B44DEA0
!
line con 0
exec-timeout 0 0
password 7 ***
login
transport input none
line aux 0
line vty 0 4
password 7 ***
login
!
end
We will have two ISP's until dec 18th. We basically want to get the new t1 online and use it since were paying for it.. Then Dec we will move all of our DNS entries over to the new IP range and drop the first T1 and add a bonded t1 from the same ISP.
Below is my configuration. Please give any suggestions on how to configure for the PIX, also if you see any Problems please point them out. We are having some issues with the Serial0/1:0 being up and line protocol going down. IOS version is 12.0(7)T
--------------------------
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ***
!
no logging console
enable password 7 ***
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
isdn voice-call-failure 0
!
!
!
!
controller T1 0/1
framing esf
channel-group 0 timeslots 1-24 speed 64
!
controller T1 0/2
shutdown
!
!
!
!
!
interface Ethernet0/0
description connected to EthernetLAN
ip address 207.203.135.1 255.255.255.224
no ip directed-broadcast
ip policy route-map Internet-route
!
interface Serial0/0
description connected to Internet
no ip address
no ip directed-broadcast
encapsulation frame-relay
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description connected to Internet
ip address 172.23.158.38 255.255.255.252
no ip directed-broadcast
frame-relay interface-dlci 566 IETF
!
interface Ethernet0/1
ip address 206.113.87.33 255.255.255.240
no ip directed-broadcast
!
interface Serial0/1:0
bandwidth 1536
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/1:0.1 point-to-point
bandwidth 1536
ip unnumbered Ethernet0/1
no ip directed-broadcast
frame-relay interface-dlci 500 IETF
!
router rip
version 2
passive-interface Serial0/0.1
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1:0.1
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 0.0.0.0 0.0.0.0 172.23.158.37
no ip http server
!
access-list 10 permit 198.143.193.128 0.0.0.63
access-list 20 permit 64.105.241.88 0.0.0.7
route-map Internet-route permit 10
match ip address 10
set ip next-hop 208.247.7.222
!
route-map Internet-route permit 20
match ip address 20
set ip next-hop 64.105.241.89
!
snmp-server engineID local 00000009020000024B44DEA0
!
line con 0
exec-timeout 0 0
password 7 ***
login
transport input none
line aux 0
line vty 0 4
password 7 ***
login
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The problem here is that the pix can only have 1 default gateway no matter how many interfaces you put in it.
Depending on what your goal is, you may be better off using just one Ethernet port on the router.