scottmcb
asked on
Using 2 internet connections at a time
We have 2 different internet connections comming into our building. A 5 meg DSL line and a full T1.
Currently we have everything going though the DSL including 2 vpn connections comming from remote locations. The DSL connections to a PIX firewall which handles all the routing with a Win2k3 server acting as DHCP.
We'll be taking over our own webhosting and email within the week and using the T1 for that.
The T1 would be fine for handeling all of the traffic into and out of the building, I have to admit the download speeds we get on the DSL are pretty nice.
Is there a way I can hook both of these lines up to our network and still be protected by the firewall? Maybe just set it to route all traffic from internal address to the DSL line and all traffice from exposed (but behind the firewall still) exteral address though the T1?
Thanks alot,
Scott
Currently we have everything going though the DSL including 2 vpn connections comming from remote locations. The DSL connections to a PIX firewall which handles all the routing with a Win2k3 server acting as DHCP.
We'll be taking over our own webhosting and email within the week and using the T1 for that.
The T1 would be fine for handeling all of the traffic into and out of the building, I have to admit the download speeds we get on the DSL are pretty nice.
Is there a way I can hook both of these lines up to our network and still be protected by the firewall? Maybe just set it to route all traffic from internal address to the DSL line and all traffice from exposed (but behind the firewall still) exteral address though the T1?
Thanks alot,
Scott
If you have enough interfaces on the firewall you can use policy routing to group the traffic as you described. It will let you route by source address as well as destination address.
I've got a similar setup at home :D (mostly just wanted to see that I can do it)
basically it's pretty simple:
you keep 2 separate network's for each ISP. each network with it's own gateway/firewall
then you route your http and email hosting through one of them, as you normally would (the firewall will protect it). and then you reoute anything else, through the other gateway.
of course, you cannot access an ip though both lines from the same pc in the same time. but you can access 2 different external ip address from the same pc in the same time. it's all about routing ;)
basically it's pretty simple:
you keep 2 separate network's for each ISP. each network with it's own gateway/firewall
then you route your http and email hosting through one of them, as you normally would (the firewall will protect it). and then you reoute anything else, through the other gateway.
of course, you cannot access an ip though both lines from the same pc in the same time. but you can access 2 different external ip address from the same pc in the same time. it's all about routing ;)
ARe both connections from the same isp? are both of them going through the same router or do you have 2 different routers? Do both of them go through the same firewall?
You could setup a dmz for your web servers and whatever other servers you need accessed by the web. Setup the external ip of the t1 to routed to the dmz. Then setup the other interface (dsl) to be the main network for your vpn's and your outbound traffic. If developers need to get to those web servers you could setup a rule to allow your private internal main network to the private dmz network.
This is how we have our web servers setup.
You could setup a dmz for your web servers and whatever other servers you need accessed by the web. Setup the external ip of the t1 to routed to the dmz. Then setup the other interface (dsl) to be the main network for your vpn's and your outbound traffic. If developers need to get to those web servers you could setup a rule to allow your private internal main network to the private dmz network.
This is how we have our web servers setup.
ASKER
Different ISPs.
Here's the layout.
T1->Nothing (nothings connected yet)
DSL->Pix506e Slot 0
Pix506e Slot 1 -> Internal network
There are no extra ports on the firewall.
Anyone have any input on the following idea?
T1->Some generic router
DSL->Some generic router
Some generic router->Pix506e Slot 0
Pix506e Slot 1 -> Internal network
And then configure the Pix to route the traffic to different gateways? Is that even possible?
Thank a ton!
Here's the layout.
T1->Nothing (nothings connected yet)
DSL->Pix506e Slot 0
Pix506e Slot 1 -> Internal network
There are no extra ports on the firewall.
Anyone have any input on the following idea?
T1->Some generic router
DSL->Some generic router
Some generic router->Pix506e Slot 0
Pix506e Slot 1 -> Internal network
And then configure the Pix to route the traffic to different gateways? Is that even possible?
Thank a ton!
Yes, Still using policy routes. I have only done it on Cicsco Routers (2600 and 3600). My PIX setups have always been simpler.
I will lookup the syntax later. Hopefully someone else can chime in and save time.
I will lookup the syntax later. Hopefully someone else can chime in and save time.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Why couldn't the PIX be used with a switch and have two gateways. The policy routes can be used to set the next hop on IOS, and I thought the PIX Os was compatible in this regard.
Chedlin,
PIX OS is completely different than IOS, so as you have mentioned, you will need to add 2 default routes in the PIX which it *won't* allow. PIX firewall is one of the firewalls which allows only to have one *outside* interface communication unfortunately.
Cheers,
Rajesh
PIX OS is completely different than IOS, so as you have mentioned, you will need to add 2 default routes in the PIX which it *won't* allow. PIX firewall is one of the firewalls which allows only to have one *outside* interface communication unfortunately.
Cheers,
Rajesh