Announcement

Collapse
No announcement yet.

PIX with 2 Public IP Ranges and 3 NICs

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • PIX with 2 Public IP Ranges and 3 NICs

    We have a PIX running 6.3(5)

    We are adding a new internet connection. New 10 MB pipe form X/O

    We currently have a 3 MB pipe form Verizon. We want to have them both.

    We'd probably keep email and current VPNs on the old 3MB pipe.

    But I would to send all internet traffic to the new 10 MB pipe.

    Am I over thinking this. Do I just assign a new public address to the 3rd NIC which is not being used right now. Change my nat outside to this new range and all is done

    Will the PIX deal with both address ranges and send the static NATs to the right interface

    Thanks

    Erick

  • #2
    Re: PIX with 2 Public IP Ranges and 3 NICs

    HI Erick,
    Thanks for the post!

    What about routing? How will your network decide which connection to use? Normally, this is done with BGP. Here is an article on that:
    http://articles.techrepublic.com.com...1-1039765.html

    Are you wanting to do load sharing between the connections or failover (active/passive)?
    David Davis - Petri Forums Moderator & Video Training Author
    Train Signal - The Global Leader in IT Video Training
    TrainSignalTraining.com - Free IT Training Products
    Personal Websites: HappyRouter.com & VMwareVideos.com

    Comment


    • #3
      Re: PIX with 2 Public IP Ranges and 3 NICs

      Can this be done without BGP? I have the exact same issue, but my only L3 device is an ASA 5520. Can the ASA perform source routing or policy routing, based on protocol?

      We have an ASA 5520 we have connected to a T1 and are trying to add a DSL. The T1 is for VPN and VOIP, and the DSL is intended to take on general internet traffic. PBR seems to be gelded on the ASA, so I can't push interesting traffic out an interface of choice. After the default gateway is changed to the DSL, watching a packet trace, all traffic goes out the DSL, even the traffic that is NAT'd to the T1 side. That traffic is NAT'd TWICE. Any ideas?

      Additionally, I can't complete phase 1 of RA VPN. The ISAKMP tries to init a connection back to the VPN client, and of course, goes out the DSL, even though the client first contacts the interface IP on the T1.
      Last edited by goobysnack; 7th February 2007, 23:46.

      Comment


      • #4
        Re: PIX with 2 Public IP Ranges and 3 NICs

        AFAIK it can't be done without BGP.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: PIX with 2 Public IP Ranges and 3 NICs

          You may be able to do policy routing or just two static routes (primary and backup) but, either way, you won't have redundancy if one of the circuits goes down because you would have seperate IP ranges on different Internet circuits.

          Hmm, now that I think about it, does the ASA have two outside ethernet ports? (one to connect to each provider). If not, then the single outside interface would have to have a single IP range that would have to go to only one provider. Normally, you would get a router with 3 interfaces - 1 to each provider (2) and 1 to the inside, which would then go to your PIX/ASA. That is how I have mine.

          We have a single IP block for all inbound services (mail, VPN, www) and, of course, outbound traffic. That block is advertised to two providers via BGP. If either goes down, all traffic automatically fails over to the other circuit. Even better if I had a disaster, all I have to do is to go to my DR BGP router and begin advertising that block. Within minutes, the whole world knows how to find my mail, VPN, and www servers. This is much better than having to change your DNS entries and let them propogate around the world (could take a few days).

          Just some thoughts for you...
          David Davis - Petri Forums Moderator & Video Training Author
          Train Signal - The Global Leader in IT Video Training
          TrainSignalTraining.com - Free IT Training Products
          Personal Websites: HappyRouter.com & VMwareVideos.com

          Comment


          • #6
            Re: PIX with 2 Public IP Ranges and 3 NICs

            PBR on the ASA is bit gelded compared to a router or L3 switch, so that won't cut it. BGP on the ASA isn't available either. So, looks like I have to either use a more robust L3 device, or use separate firewalls completely, necessitating a separate DG for the T1 traffic, separate from general internet egress (DSL).

            Comment

            Working...
            X