We help IT Professionals succeed at work.

Router to firewall network setup

itwanlan asked
Medium Priority
Last Modified: 2010-04-17
Hello Experts,

    I am currently working on configuring a network diagram that will be ISP1/ISP2--->2621---->PIX 506E---->2912.  I want to run NAT and terminate vpn clients on the pix.  I have 2FE and 1 NM-1E on the 2621 to allow ISP1 and ISP2 (ADSL) connections to the 2621.  Reason being is I want to have some sort of failover/load balancing if possible.  

My confusion point right now is the ip addressing on the 2621.  
If I have static IP's from both ISP's and I'm going to nat on the PIX what would my IP's be on the 2621 internal interface and pix external interface?  I am assuming on the 2621 there will need to be static routes from the external interfaces to the internal interface.
Watch Question

  As I see it, you can do this in one of two ways. You can build both sets of IPs on the external and internal interfaces of the 2621 and the external interface(s) of the PIX. Then build NAT maps for both sets of IPs. Swapping the routing from one ISP to the other will probably be a manual process but you might be able to configure something dynamic in the PIX.
   The other way is the professional, but much more complex, solution. Get IPs from ISP1 and run BGP on the 2621. ISP1 gives you the IPs, they will already have them routed to you. With a BGP session to ISP2 (and permission from ISP1) they can route ISP1's IPs to you as well if the other circuit goes down. If neither ISP will give you permission to route their IPs through another ISP then you can try getting your own AS and IP space. Then you'll need BGP sessions to both.
   The first solution is way easier but the second doesn't require any manual intervention for fail-over.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Sr. Systems Engineer
Top Expert 2008
Since both feeds are DSL, you have no option to use the "right" solution of BGP.
Since both feeds are Ethernet, you don't really need another router.
However, since the PIX can only have one default route out, you need the router to cosolidate paths

Having said that, I'm a big fan of Cisco and PIX, but in this case they don't make the right product unless you look at the Linksys division and their RV0x series. You might want to check out the RV016 product that would replace all three of your devices. No 2600, no PIX, no 2912 switch.
Automagic load-balancing/failover between the two DSL feeds and a fair SPI firewall and 10/100 switch all put together.

Another alternative is the Adtran Netvanta 1500 series all in one switch/router/firewall which also does load balancing over two (or more) Ethernet feeds


Thank You both for excellent answers.  I have been doing some heavy research on this all morning and would love to be able to use the cisco equipment if at all possible.  Is it at all possible to use floating static routes with different administrative distance for each ISP?  So if main ISP goes down it will route all packets out of the other ISP link.  There will be no services running behind this setup such as web server or anything else that will need BGP.  If this is a possibilty how would the pix know about a different default gw if the main ISP goes down.  

I know this is an extension of the main question so I will raise the points.


Not that I am suggesting BGP for this application at all but why do you think you can't use BGP with DSL?
Les MooreSr. Systems Engineer
Top Expert 2008

>If this is a possibilty how would the pix know about a different default gw if the main ISP goes down.  
It won't matter because the PIX will always send default traffic to the router.

>Is it at all possible to use floating static routes with different administrative distance for each ISP?
Yes, but you have to double-nat so that you nat outbound traffic to the 2nd ISP because you would assign the first ISP's public IP to the outside of the PIX.

Issues are that since the dsl modem is handing you off Ethernet, you have no way to know if the dsl side is down or not. There would be no interface event to change the routes to the backup link. You have to resort to other methods that complicate the scenario even further.
Then you have inbound services like www or email to worry about with 2 different possible public IP addresses.

>why do you think you can't use BGP with DSL?
DSL is designed as a commodity/soho provider and I've never yet seen a DSL provider that would play BGP with a customer unless it was a high-bandwidth business-grade circuit and even then they only wanted to use static defaults.


Thank You for clearing those questions lrmoore.

Thank You Both for you answers.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.