How do we setup dual routes to the Internet?

user pcs -- switch -- gateway router -- pix -- edge router -- vendor router -- Internet
                                                                                  |__ vendor cable modem --  Internet

Our current access to the Internet is shown on the first line.  We want to add a cable broadband link which also goes to the Internet as shown on the second line.  On the cable link we want to allow a small subset of user pcs to surf through this link while still allowing the rest of the users to continue as before.

The edge router has two Fast Ethernet ports.
All equipment is Cisco brand.
PAT is performed at the PIX.

Question 1:
Is this a workable idea?

Question 2:
We are assuming if it is workable then some routing entries and ACLs would be made to the edge router.

Question 3:
Is there a better method to accomplish this?  How?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The easiest way to accomplish this is to remove the pix completely. I have written a few articles on how to accomplish this task here
It will get you most of the way there. Some route maps will have to be changed to get the users going out of the correct connections. Have a read, then post you configs and we can get this done.
is this cisco pix with 7.2 ver , if yes tha only possible .
dalvaAuthor Commented:
Removing the PIX is not an option.  Our current PIX has version 6.3.

The purpose of our request is to test a high speed cable Internet service without disrupting or altering our current setup.

Our current link to the Internet is a bonded pair of T1s giving us approximately 3Mbps.  For the low cost of a high speed cable Internet we can get approximately 16Mbps.  We want the cable link to test the functionality of using cable for our Internet.

We will keep our T1s in place due to our contract commitment and stability of the link.  In add we will continue to use it for our email service.

After incubating the ideas last night it dawned on us that even if we can route out the cable link, when the packet returns it will return through the T1 since that is where our NATed subnet is assigned to.

A new plan:

Leave current T1 alone.
Use an ASA 5505 and create the following setup.

user pcs -- switch -- gateway router -- pix -- edge router -- vendor router -- Internet
                      | __ ASA 5505 -- vendor cable modem --  Internet

We will request a few static IP address from cable vendor to PAT with.
The test PCs will use the asa as their gateway.
We would create manual routes on the test PCs.

If test works well then we would change the new gateway to be pushed out by dhcp.
We would create static routes for our email server to continue using the T1.

Is this a valid solution?
Should we include an edge router in front of the ASA for additional security?
Any comments or suggestions?

INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

The IOS firewall is quite a bit more robust than the PIX but I digress. If the PIX/ASA combo is where you want to go with it the solution would look like this. (provided the core router is cisco)

PC----Switch --- Core Router-------Pix --- T1
                                                 |_ASA--- Cable

in the core router you would create a route map
ip access-list extended ToCable
   Permit ip host <IP of test PC> any
route-map director permit 10
   match ip address ToCable
   set ip next-hop <ASA IP address>

and on your core router's LAN interface
   ip policy route-map director

That will push the single PC over the cable connection and you can widen the subnet mask as you get more confident.
The downside of this configuration is the lack of load sharing, but you can still accomplish dual inbound access by assigning 2 ip addresses to each server and natting the pix to one and the asa to the other. The route-map would then be set to push the second IP address to the ASA. A router in front of the ASA would not provide any additional security. There is some good reading at the cisco site on the security features of their platforms here:
dalvaAuthor Commented:
Your suggested solution may work but it breaks one of rules which is we cannot alter the existing setup.

This brings us back to our current proposed solution.  It appears simple enough that it should work.  Is there a good reason this is not a good approach?
user pcs -- switch -- gateway router -- pix -- edge router -- vendor router -- Internet
                      | __ ASA 5505 -- vendor cable modem --  Internet

The Cisco link was very beneficial and did answer my second question.  I think we will stay with the ASA for performance and simplicity since we do not need the added functionality of the IOS firewall.
Your idea will work, and you can manually adjust the gateways as required.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.