How do we setup dual routes to the Internet?

Posted on 2008-11-17
Medium Priority
Last Modified: 2012-08-13
user pcs -- switch -- gateway router -- pix -- edge router -- vendor router -- Internet
                                                                                  |__ vendor cable modem --  Internet

Our current access to the Internet is shown on the first line.  We want to add a cable broadband link which also goes to the Internet as shown on the second line.  On the cable link we want to allow a small subset of user pcs to surf through this link while still allowing the rest of the users to continue as before.

The edge router has two Fast Ethernet ports.
All equipment is Cisco brand.
PAT is performed at the PIX.

Question 1:
Is this a workable idea?

Question 2:
We are assuming if it is workable then some routing entries and ACLs would be made to the edge router.

Question 3:
Is there a better method to accomplish this?  How?

Question by:dalva
  • 3
  • 2
LVL 15

Expert Comment

ID: 22981563
The easiest way to accomplish this is to remove the pix completely. I have written a few articles on how to accomplish this task here
It will get you most of the way there. Some route maps will have to be changed to get the users going out of the correct connections. Have a read, then post you configs and we can get this done.

Expert Comment

ID: 22983179
is this cisco pix with 7.2 ver , if yes tha only possible .

Author Comment

ID: 22990269
Removing the PIX is not an option.  Our current PIX has version 6.3.

The purpose of our request is to test a high speed cable Internet service without disrupting or altering our current setup.

Our current link to the Internet is a bonded pair of T1s giving us approximately 3Mbps.  For the low cost of a high speed cable Internet we can get approximately 16Mbps.  We want the cable link to test the functionality of using cable for our Internet.

We will keep our T1s in place due to our contract commitment and stability of the link.  In add we will continue to use it for our email service.

After incubating the ideas last night it dawned on us that even if we can route out the cable link, when the packet returns it will return through the T1 since that is where our NATed subnet is assigned to.

A new plan:

Leave current T1 alone.
Use an ASA 5505 and create the following setup.

user pcs -- switch -- gateway router -- pix -- edge router -- vendor router -- Internet
                      | __ ASA 5505 -- vendor cable modem --  Internet

We will request a few static IP address from cable vendor to PAT with.
The test PCs will use the asa as their gateway.
We would create manual routes on the test PCs.

If test works well then we would change the new gateway to be pushed out by dhcp.
We would create static routes for our email server to continue using the T1.

Is this a valid solution?
Should we include an edge router in front of the ASA for additional security?
Any comments or suggestions?

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

LVL 15

Expert Comment

ID: 23010971
The IOS firewall is quite a bit more robust than the PIX but I digress. If the PIX/ASA combo is where you want to go with it the solution would look like this. (provided the core router is cisco)

PC----Switch --- Core Router-------Pix --- T1
                                                 |_ASA--- Cable

in the core router you would create a route map
ip access-list extended ToCable
   Permit ip host <IP of test PC> any
route-map director permit 10
   match ip address ToCable
   set ip next-hop <ASA IP address>

and on your core router's LAN interface
   ip policy route-map director

That will push the single PC over the cable connection and you can widen the subnet mask as you get more confident.
The downside of this configuration is the lack of load sharing, but you can still accomplish dual inbound access by assigning 2 ip addresses to each server and natting the pix to one and the asa to the other. The route-map would then be set to push the second IP address to the ASA. A router in front of the ASA would not provide any additional security. There is some good reading at the cisco site on the security features of their platforms here:

Author Comment

ID: 23016033
Your suggested solution may work but it breaks one of rules which is we cannot alter the existing setup.

This brings us back to our current proposed solution.  It appears simple enough that it should work.  Is there a good reason this is not a good approach?
user pcs -- switch -- gateway router -- pix -- edge router -- vendor router -- Internet
                      | __ ASA 5505 -- vendor cable modem --  Internet

The Cisco link was very beneficial and did answer my second question.  I think we will stay with the ASA for performance and simplicity since we do not need the added functionality of the IOS firewall.
LVL 15

Accepted Solution

wingatesl earned 800 total points
ID: 23017285
Your idea will work, and you can manually adjust the gateways as required.

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question