Link to home
Start Free TrialLog in
Avatar of polaris101
polaris101

asked on

2nd Internet Connection on PIX 515E

Hi All,

My company's network is behind a PIX 515E.  There are 2 subnets.  One for users and another for mission critical applications.  They currently share the same internet connection.

We will be ordering an additional Internet connection shortly.  I would like to force one of the subnets to use the new Internet connection.  If I install an additional ethernet adapter in the PIX will this be possible?  Could I do something like this:

interface2 auto
nameif ethernet2 outside2 security0
ip address outside 2 X.X.X.X
alias(inside) 10.242.55.253 X.X.X.X 255.255.255.255

interface2 = new ethernet card
x.x.x.x = IP assigned by new ISP
10.242.55.253 = IP of where 2nd subnet will be coming from that I want to force to the new ISP.

Avatar of MikeKane
MikeKane
Flag of United States of America image

Not possible.   The pix can only have 1 default gateway out to the public net.    No load balancing is possible with this unit.    

You can do internet failover with dual ISP.  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
However with this setup, only 1 ISP is ever active at a time.  

Avatar of polaris101
polaris101

ASKER

Thanks MikeKane- So I can force certain internal IP's to use certain external IP's using an alias with the PIX.  But, I cannot force an internal IP to use an external IP on a different interface?

If there is now way that that is possible, do you know of an equivelant ASA model would support the configuration I mentioned?

Cisco newbie...thanks for your help.

Scott
What you're looking to do is called policy-based (conditional) routing.
This would involve buying a higher-end router/firewall.

An easier solution may be to just get a second PIX/ASA, one for each network and configure static routes on them to access the other network.
kdearing- perfect.  That will most likely work.

I have a spare PIX 501 that I can use - eth0, will obviously be for the new ISP, eth1 will be for the users subnet(10.10.10.0), and eth2 will provide access to the other network for the applications (where the static route will point to- 10.242.55.0)

Can I create static routes to one of those interfaces (eth2) if the users (10.10.10.0)are trying to access 10.242.55.0 ?

Thanks!
Even with 1 ASA, you can have dual outbound ISPs.    You can add static routes to the 2nd ISP gateway if desired so that anything bound for 10.242.0.0 is routed outbound on the ISP2 gateway ip.      What you can't do is say If the source is x.x.x.x and dest is 10.242.0.0 then send it to ISP2.    This is policy based routing and the ASA can't do that.    

You can setup the 2 firewalls (as mentioned above).  Connect each via the DMZ or VLAN on the inside.     Use static routes on each ASA to send traffic to each other for that particular subnet.
Ok, I think I have this straight then.

On my PIX 501, eth0 is going to be for the 2nd ISP's router (default gateway).  eth1 is going to a switch on the 10.242.55.0 network.  eth2 is going to a swith on the 10.10.10.0

I'm then going to make a static route stating that if the destination is 10.242.55.0 use eth1.

Will this work?
see attached
2-ISPs.txt
kdearing...Ideally this is what I'd like to do since I only have 2 interfaces on the 515E. See attach.  Thoughts?  Can I make a static route on the PIX stating that if the destination is 10.242.55.0 to use eth1 ?
network.txt
Yes.
Remember to assign a 10.242.55.x address to PIX501 E1
Great.  So, you're certain that I will be able to create a static route for traffic destined for the 10.242.55.0 network to go out the eth1 interface?  The 501's come with 5 ethernet ports. 0 is always for the default gateway I assume. Thanks for your help.
kdearing. No luck... PIX 501 only has 2 layer 3 ports... eth0 and eth1. The other are only considered switch ports and cannot be configured.
In the diagram, swap the firewalls.
It doesn't really matter as long as one of them has three Layer-3 interfaces.

Because the 515 is fairly old, you can pick up Layer-3 interface cards for it on eBay for reasonable prices.
Kdearing, unfortunately, swapping the PIX's isn't an option because of the site-to-site VPN's we have to the 515.

If we have to purchase another firewall, what model ASA would you recommend to support the configuration I'm looking for here?
ASKER CERTIFIED SOLUTION
Avatar of kdearing
kdearing
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial