Link to home
Start Free TrialLog in
Avatar of omar07

asked on

Dual Internet Connections with Cisco router

I have Cisco router 1841 with dual Internet connections, which is connected to ASA and PIX. The ASA is for VPN connection and the PIX is for users. Both of them sharing the same interface via vlans. In the router I used route-map to seperate the traffic coming from ASA and PIX, the Internet connection with ASA (VPN) is working fine, but the PIX (users) is not working, I'm not sure what am doing wrong. In the route when do sh ip route, it shows the route for both internet connections, Please help.

Avatar of giltjr
Flag of United States of America image

Can you post a sanitized copy of the routers configuration?
Avatar of pergr

aaeeh, if you want the ASA on one ISP, and the PIX on the other, why do you not just connect them directly like that, instead of having the router in-between?

Generally, keep in mind that ASA needs to use IP addresses from ISP1, and the PIX need to use IP addresses from ISP2. Each ISP will not route traffic to IPs from another ISP.
I think it's better to have the two connections into the router, as you have it now, to allow for redundancy if required.

As giltjr said, a copy of the router config would be handy.
Taking into consideration that you can only use IPs from one ISP..., on that ISP, there is not much redundancy with a router and policy-based-routing. It just over complicates things.

You may want to consider using a switch instead, between the two firewalls and the two ISPs. You still have the issue of IP addressing, but at least, if you need to reconfigure one firewall to use IPs from "the other ISP", then it is faster and easier to do that on just the firewall, and not on a router too.
If you connect one ISP to the ASA and one ISP to the PIX there is NO redundancy.  If you connect each ISP to the router you can at least use IP SLA to automatically failover.  You can then also use PBR to route traffic coming through the ASA via ISP1 and through the PIX via ISP2.
hmmm, unless you have BGP, you're also going to be running NAT on the router, unless you went down the VRF route

I would have the ASA connected to both with route tracking, and possibly do the opposite with the PIX

I don't see what the router adds, unless it's terminating a "serial" connection.
The redundancy deals with external access.
Access from outside to resources will break when ISP1 drops and access to the resources behind the ASA are unavailable.
Presumably the reason for the router is that there are T1/frame type of circuits rather than a regular Ethernet handoff that both the ASA and the PIX support. The ASA/PIX can not handle a direct T1/Frame connection.

The ASA has multiple interfaces that can be VLANed, not sure how/what the PIX playes.
Is the setup as pictured below?

         \           /ASA <=>
         /           \PIX <=>
VRF might be a better solution than PBR

(more complex to setup)
Actually I'm guessing they are DSL connections...
Avatar of omar07


They are ADSL connections, one is static for vpn and the other is dynamic for web browsing.
Aha, so the 1841 terminates both ADSL connections?

A dynamic ADSL connection only has a single IP address.

If you upgrade it to a static address block, and you have two ADSL routers, then you could do as I propose in post 38585854, this improves availability and removes a single point of failure.

You could as an alternative, remove the ASA and the PIX and do everything on the 1841...
Avatar of omar07


dual-Internet-cfg.txtAttached is copy of router config.
aha, now it becomes clearer

you need a NAT statement for the traffic from the PIX, this means that outbound traffic for "users" will go over two layers of NAT unless you are operating the PIX in transparent mode
Avatar of ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of omar07


Thanx for your comments, I will try your solution, but how come ASA is working fine with one layer of NAT.
the ASA has a public address, so there no NAT between it and the Internet.

the PIX has a private address, and so to get from the public address from the Internet, you need NAT.

There is another option, if your PIX supports PPPoE, you could create a bridge group between the dialer interface and the ethernet interface used by the PIX and run PPPoE on the PIX, this would effectively turn the 1841 into an ADSL modem, but I would be tempted to try it.
Just to repeat myself; the 1841 adds no value here. The best thing to do is to remove it.

Unless you find valuable use for it on your LAN you'd better sell it.

Still, unless you have L3 switch on the LAN it might be useful there.
Avatar of omar07


I was told that connecting to Internet stright the firewall is not secure, but throug a router provide defense in depth moreover, I might use it for redundency in the future for both firewalls.
Could you provide a layout of your setup?
Do the ADSL connections terminate on the 1841 or do you have an adsl router/adapter (depending on the configuration of each adapter)?

The strange thing in your question is the suggestion that both/pix use/share the same interface via VLAN.

A picture with IPs In use behind the 1841 to the ASA and to the PIX.

Eliminating the 1841 will remove the ISP failover option.
The firewall is the protection, often it is advised to setup router/firewall to maximize through put from/through the router while the firewall will protect the internal systems.
@pergr although it adds no value, the 1841 terminates both ADSL connections, neither a PIX not and ASA can terminate an ADSL connection

@arnold, I would guess that there is a managed switch behind the 1841 which then connects to the ASA and the PIX, however it would make more sense for the ASA and the PIX to ech have a dedicated port...
You are right. He needs to sell all 3 boxes and buy an SRX110.
does it have 2 DSL interfaces ?
No, it has one built in.
However, it seems one of the dialer interfaces is on Ethernet, with a bridged modem, so that line would stay like that - so one pppoe on ATM and another pppoe from an ethernet interface.
SRX220 can have two dsl lines, but those are modules and a bit more costly.
you're quite right, the dynamic address is on PPPoE, so could terminate directly on the PIX...
Avatar of omar07


Ok. I tried the NAT inside and outside, and it worked. I didn't put additional access-list or ip nat inside source cuz I already have route-map for it.
Thank you for much ArneLovius.

you could re-use the ACL from the route map, but you should have something like line 7 in the above