[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 317
  • Last Modified:

Using 2 internet connections at a time

We have 2 different internet connections comming into our building. A 5 meg DSL line and a full T1.

Currently we have everything going though the DSL including 2 vpn connections comming from remote locations. The DSL connections to a PIX firewall which handles all the routing with a Win2k3 server acting as DHCP.

We'll be taking over our own webhosting and email within the week and using the T1 for that.

The T1 would be fine for handeling all of the traffic into and out of the building, I have to admit the download speeds we get on the DSL are pretty nice.

Is there a way I can hook both of these lines up to our network and still be protected by the firewall? Maybe just set it to route all traffic from internal address to the DSL line and all traffice from exposed (but behind the firewall still) exteral address though the T1?

Thanks alot,

1 Solution
If you have enough interfaces on the firewall you can use policy routing to group the traffic as you described.  It will let you route by source address as well as destination address.
I've got a similar setup at home :D (mostly just wanted to see that I can do it)
basically it's pretty simple:
you keep 2 separate network's for each ISP. each network with it's own gateway/firewall
then you route your http and email hosting through one of them, as you normally would (the firewall will protect it). and then you reoute anything else, through the other gateway.
of course, you cannot access an ip though both lines from the same pc in the same time. but you can access 2 different external ip address from the same pc in the same time. it's all about routing ;)
ARe both connections from the same isp?  are both of them going through the same router or do you have 2 different routers?  Do both of them go through the same firewall?  

You could setup a dmz for your web servers and whatever other servers you need accessed by the web.  Setup the external ip of the t1 to routed to the dmz.  Then setup the other interface (dsl) to be the main network for your vpn's and your outbound traffic.  If developers need to get to those web servers you could setup a rule to allow your private internal main network to the private dmz network.

This is how we have our web servers setup.
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

scottmcbAuthor Commented:
Different ISPs.

Here's the layout.

T1->Nothing (nothings connected yet)
DSL->Pix506e Slot 0
Pix506e Slot 1 -> Internal network

There are no extra ports on the firewall.

Anyone have any input on the following idea?

T1->Some generic router
DSL->Some generic router
Some generic router->Pix506e Slot 0
Pix506e Slot 1 -> Internal network

And then configure the Pix to route the traffic to different gateways? Is that even possible?

Thank a ton!
Yes, Still using policy routes.  I have only done it on Cicsco Routers (2600 and 3600).  My PIX setups have always been simpler.  

I will lookup the syntax later. Hopefully someone else can chime in and save time.
First of all, it is impossible to do with PIX Firewall since it allows to have only a single 'outside' interface. Now, what you are asking can be done, if you have an extra router to fit into the diagram. Something like this;

                            Router---------PIX------------Internal Network.

On the router, you can enable policy routing such that all outgoing connections go through DSL and all incoming traffic from T1 goes through the same (You might need to setup your webservers on a DMZ or atleast in a different subnet). In this setup, you can even use 'failover' in case any of the link goes down.

Why couldn't the PIX be used with a switch and have two gateways.  The policy routes can be used to set the next hop on IOS, and I thought the PIX Os was compatible in this regard.

  PIX OS is completely different than IOS, so as you have mentioned, you will need to add 2 default routes in the PIX which it *won't* allow. PIX firewall is one of the firewalls which allows only to have one *outside* interface communication unfortunately.


Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now