Using 2 internet connections at a time

We have 2 different internet connections comming into our building. A 5 meg DSL line and a full T1.

Currently we have everything going though the DSL including 2 vpn connections comming from remote locations. The DSL connections to a PIX firewall which handles all the routing with a Win2k3 server acting as DHCP.

We'll be taking over our own webhosting and email within the week and using the T1 for that.

The T1 would be fine for handeling all of the traffic into and out of the building, I have to admit the download speeds we get on the DSL are pretty nice.

Is there a way I can hook both of these lines up to our network and still be protected by the firewall? Maybe just set it to route all traffic from internal address to the DSL line and all traffice from exposed (but behind the firewall still) exteral address though the T1?

Thanks alot,

Who is Participating?
rsivanandanConnect With a Mentor Commented:
First of all, it is impossible to do with PIX Firewall since it allows to have only a single 'outside' interface. Now, what you are asking can be done, if you have an extra router to fit into the diagram. Something like this;

                            Router---------PIX------------Internal Network.

On the router, you can enable policy routing such that all outgoing connections go through DSL and all incoming traffic from T1 goes through the same (You might need to setup your webservers on a DMZ or atleast in a different subnet). In this setup, you can even use 'failover' in case any of the link goes down.

If you have enough interfaces on the firewall you can use policy routing to group the traffic as you described.  It will let you route by source address as well as destination address.
I've got a similar setup at home :D (mostly just wanted to see that I can do it)
basically it's pretty simple:
you keep 2 separate network's for each ISP. each network with it's own gateway/firewall
then you route your http and email hosting through one of them, as you normally would (the firewall will protect it). and then you reoute anything else, through the other gateway.
of course, you cannot access an ip though both lines from the same pc in the same time. but you can access 2 different external ip address from the same pc in the same time. it's all about routing ;)
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

ARe both connections from the same isp?  are both of them going through the same router or do you have 2 different routers?  Do both of them go through the same firewall?  

You could setup a dmz for your web servers and whatever other servers you need accessed by the web.  Setup the external ip of the t1 to routed to the dmz.  Then setup the other interface (dsl) to be the main network for your vpn's and your outbound traffic.  If developers need to get to those web servers you could setup a rule to allow your private internal main network to the private dmz network.

This is how we have our web servers setup.
scottmcbAuthor Commented:
Different ISPs.

Here's the layout.

T1->Nothing (nothings connected yet)
DSL->Pix506e Slot 0
Pix506e Slot 1 -> Internal network

There are no extra ports on the firewall.

Anyone have any input on the following idea?

T1->Some generic router
DSL->Some generic router
Some generic router->Pix506e Slot 0
Pix506e Slot 1 -> Internal network

And then configure the Pix to route the traffic to different gateways? Is that even possible?

Thank a ton!
Yes, Still using policy routes.  I have only done it on Cicsco Routers (2600 and 3600).  My PIX setups have always been simpler.  

I will lookup the syntax later. Hopefully someone else can chime in and save time.
Why couldn't the PIX be used with a switch and have two gateways.  The policy routes can be used to set the next hop on IOS, and I thought the PIX Os was compatible in this regard.

  PIX OS is completely different than IOS, so as you have mentioned, you will need to add 2 default routes in the PIX which it *won't* allow. PIX firewall is one of the firewalls which allows only to have one *outside* interface communication unfortunately.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.