Using 2 internet connections at a time

Posted on 2006-05-22
Last Modified: 2010-03-19
We have 2 different internet connections comming into our building. A 5 meg DSL line and a full T1.

Currently we have everything going though the DSL including 2 vpn connections comming from remote locations. The DSL connections to a PIX firewall which handles all the routing with a Win2k3 server acting as DHCP.

We'll be taking over our own webhosting and email within the week and using the T1 for that.

The T1 would be fine for handeling all of the traffic into and out of the building, I have to admit the download speeds we get on the DSL are pretty nice.

Is there a way I can hook both of these lines up to our network and still be protected by the firewall? Maybe just set it to route all traffic from internal address to the DSL line and all traffice from exposed (but behind the firewall still) exteral address though the T1?

Thanks alot,

Question by:scottmcb
    LVL 2

    Expert Comment

    If you have enough interfaces on the firewall you can use policy routing to group the traffic as you described.  It will let you route by source address as well as destination address.
    LVL 28

    Expert Comment

    I've got a similar setup at home :D (mostly just wanted to see that I can do it)
    basically it's pretty simple:
    you keep 2 separate network's for each ISP. each network with it's own gateway/firewall
    then you route your http and email hosting through one of them, as you normally would (the firewall will protect it). and then you reoute anything else, through the other gateway.
    of course, you cannot access an ip though both lines from the same pc in the same time. but you can access 2 different external ip address from the same pc in the same time. it's all about routing ;)
    LVL 1

    Expert Comment

    ARe both connections from the same isp?  are both of them going through the same router or do you have 2 different routers?  Do both of them go through the same firewall?  

    You could setup a dmz for your web servers and whatever other servers you need accessed by the web.  Setup the external ip of the t1 to routed to the dmz.  Then setup the other interface (dsl) to be the main network for your vpn's and your outbound traffic.  If developers need to get to those web servers you could setup a rule to allow your private internal main network to the private dmz network.

    This is how we have our web servers setup.

    Author Comment

    Different ISPs.

    Here's the layout.

    T1->Nothing (nothings connected yet)
    DSL->Pix506e Slot 0
    Pix506e Slot 1 -> Internal network

    There are no extra ports on the firewall.

    Anyone have any input on the following idea?

    T1->Some generic router
    DSL->Some generic router
    Some generic router->Pix506e Slot 0
    Pix506e Slot 1 -> Internal network

    And then configure the Pix to route the traffic to different gateways? Is that even possible?

    Thank a ton!
    LVL 2

    Expert Comment

    Yes, Still using policy routes.  I have only done it on Cicsco Routers (2600 and 3600).  My PIX setups have always been simpler.  

    I will lookup the syntax later. Hopefully someone else can chime in and save time.
    LVL 32

    Accepted Solution

    First of all, it is impossible to do with PIX Firewall since it allows to have only a single 'outside' interface. Now, what you are asking can be done, if you have an extra router to fit into the diagram. Something like this;

                                Router---------PIX------------Internal Network.

    On the router, you can enable policy routing such that all outgoing connections go through DSL and all incoming traffic from T1 goes through the same (You might need to setup your webservers on a DMZ or atleast in a different subnet). In this setup, you can even use 'failover' in case any of the link goes down.

    LVL 2

    Expert Comment

    Why couldn't the PIX be used with a switch and have two gateways.  The policy routes can be used to set the next hop on IOS, and I thought the PIX Os was compatible in this regard.
    LVL 32

    Expert Comment


      PIX OS is completely different than IOS, so as you have mentioned, you will need to add 2 default routes in the PIX which it *won't* allow. PIX firewall is one of the firewalls which allows only to have one *outside* interface communication unfortunately.


    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now