Pix 515 with two ADSL Routers

Posted on 2005-05-13
Last Modified: 2013-11-16
I have a VPN working perfectly with a central office PIX 515, and five remote offices PIX 501. I also have several Cisco VPN Software Mobile Clients. There is one ADSL router in each office.

Now, i want to add another ADSL Router in the Central office in order to separate VPN traffic and Internet traffic from the central office. So , what i need is all the VPN traffic through Router A, and the rest through Router B.

I was thinking of setting in the PIX 515 static routes to the 5 remote offices private ip range through one of the routers (Router A),  and the default gateway through Router B.

Will this be enough? Do i need static routes to the public IP's of every remote offices?

What about the Mobile Clients? Will it work if i add static routes to the IP pools assigned to them? Anything else needed?

I forgot to mention that if i have this VPN working just fine, is 75% thanks to Esperts Exchange (ok, 25% thanks to me :).

Question by:llandajuela

    Expert Comment


    Sounds like a good plan. Check out this link.

    You need static routes to the subnets behind the 501's, the routers will know which public IP address to send the packets to in order to get to the appropriate LAN. Make sense? Mobile clients?
    I don;t see the relevence of that question. They plug in, wherever, get an IP and the routers and firewalls do their thing. Nothing else to do there.


    LVL 79

    Accepted Solution

    > Do i need static routes to the public IP's of every remote offices?
    Yes, you need static routes for both the remote lan and for the public IP of each and every office to point to router A

     route outside <LAN subnet remote1> <ip router A>
     route outside <public ip of remote1> <ip router A>
     route outside <public ip of remote2> <ip router A>
     route outside <LAN subnet remote2> <ip router A>
     route outside <ip router B>

    >What about the Mobile Clients? Will it work if i add static routes to the IP pools assigned to them? Anything else needed?
    Ah, this is the challenge. Unless you know the home IP public IP address and create a static route entry for each remote user, then they will continue to use the current Router B because that's the default.

    Big question - are you getting both router A and router B public IP's in the same subnet? You can only assign a single public IP to the PIX outside interface, so all three will have to be in the same IP subnet.

    If you wait long enough, the new PIX 7.0 lets you create GRE tunnels to the remotes and then you can use dynamic routing within the GRE tunnels. It's available for the 515 today, but not for the little 506 or 501's.. 7.1 "lite" is just around the corner...

    LVL 1

    Expert Comment

    A network map would help. I'm wondering what offices have servers, and how the connections at the central office to the Internet are.

    > 7.1 "lite" is just around the corner...
    Good to know - thanks.


    Author Comment

    Thank you guys for your answers !

    Let's see, to lrmoore, as usual your answers are very useful. Im afraid i will not be able to have a list of the public IPs used by the mobile clients, they move around a lot. It's ok, their traffic is not that important, ill be happy if i can separate at least the remote offices' traffic.

    About the public IP's of Router A and B, no they're not in the same subnet. But Both routers are performing NAT (well, what Cisco calls PAT). So private IP's of Routers A and B, and the outside interface of the PIX are on the same subnet (private range).

    To matthew

    No servers are in the remote offices, just two servers in the central one.

    Remote office 1       Remote Office 2    .....

    Internal LAN             ....
      PIX 501
      Router ADSL
      |            |
      |               |
      |                   |
      |                       |
      Router A      Router B
            |               |
            |               |
               PIX 515
               Internal LAN

           Central Office

    LVL 1

    Expert Comment

    Ok.  Just

     route outside <ip router B>

    should do the trick; the VPN config should take care of continuing to route everything else through router A.

    Proviso: are any servers at teh central office accessed OTHER than over the VPN?  I'm assuming not.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now