I have a pix 515E with only two interfaces, an inside and an outside, but I need to connect two T1 internet connections on different subnets to the outside interface. I have a Cisco 3550 switch on the outside between the routers and the pix. I've been told to use the HSRP on the 3550, but I don't know enough about that to make it work. It would be nice to be able to use either t1 for outbound if one of them failes. Would someone give me some suggestions? My routers are Cisco 2610's and I don't think they support HSRP. Thanks
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How-to route 2 internet connections to pix firewall
- Thread starter tshunn
- Start date
First of all, you don't and can't ever use a PIX as an edge device. There is no WAN interface on a PIX and PIXIOS does not support BGP itself. PIXIOS is just now barely starting to support OSPF.
However, it is possible to run BGP in a passthrough configuration as shown in this next link although it is quite complex:
An easier way to do this is to put the 3550 in front of your PIX 515 (with optional failover unit) and have that 3550 connected to 2 edge routers with WAN interfaces going to each ISP. The 3550 could run enhanced IOS with BGP capabilities and BGP could be setup between the 2 ISPs and your 3550.
George Ou
Network Systems Architect
Get more powerful articles and tools from my webpage
However, it is possible to run BGP in a passthrough configuration as shown in this next link although it is quite complex:
An easier way to do this is to put the 3550 in front of your PIX 515 (with optional failover unit) and have that 3550 connected to 2 edge routers with WAN interfaces going to each ISP. The 3550 could run enhanced IOS with BGP capabilities and BGP could be setup between the 2 ISPs and your 3550.
George Ou
Network Systems Architect
Get more powerful articles and tools from my webpage
As I understand the question, the configuration is:
/-2610--Internet 1
LAN--Pix--3550-<
\-2610--Internet 2
I don't think there's a problem running HSRP on the 2610; most IOS versions support it. Remember that you'll need to enable NAT on at least one of the 2610's (the secondary, I suppose) since it's on a different network than the other. The Pix's outside address will need to be masqueraded.
BGP would allow you to have inbound as well as outbound failover, but that's not what you asked for. BGP also requires you to get an AS number from ARIN and coordinate with your ISP's. Not difficult, but a bit more effort.
/-2610--Internet 1
LAN--Pix--3550-<
\-2610--Internet 2
I don't think there's a problem running HSRP on the 2610; most IOS versions support it. Remember that you'll need to enable NAT on at least one of the 2610's (the secondary, I suppose) since it's on a different network than the other. The Pix's outside address will need to be masqueraded.
BGP would allow you to have inbound as well as outbound failover, but that's not what you asked for. BGP also requires you to get an AS number from ARIN and coordinate with your ISP's. Not difficult, but a bit more effort.
- Thread starter
- #4
lgarner,
Your diagram of my configuration is correct. I have the two 2610 routers connected to my 3550 which is then connected to my pix 515E.
I didn't know that the 2610's would support HSRP. I'll have to look into that more, as that would really help in this situation. The NATing might be difficult as I may start running short on IP addresses. I've only got 14 on each subnet and alot of those are already in use.
Your post and the previous post both mentioned BGP, which I know is Border Gateway Protocol, but I don't know much about it. I'm not too up on my routing protocols, so I guess I'll have to study up a little more. Do you know of any good references on BGP?
I am thinking about reconfiguring my two T1's on the ISP side so they would be redundant and I wouldn't have to deal with two subnets.
Thanks for your post. At least I have a little better direction now.
Your diagram of my configuration is correct. I have the two 2610 routers connected to my 3550 which is then connected to my pix 515E.
I didn't know that the 2610's would support HSRP. I'll have to look into that more, as that would really help in this situation. The NATing might be difficult as I may start running short on IP addresses. I've only got 14 on each subnet and alot of those are already in use.
Your post and the previous post both mentioned BGP, which I know is Border Gateway Protocol, but I don't know much about it. I'm not too up on my routing protocols, so I guess I'll have to study up a little more. Do you know of any good references on BGP?
I am thinking about reconfiguring my two T1's on the ISP side so they would be redundant and I wouldn't have to deal with two subnets.
Thanks for your post. At least I have a little better direction now.
I don't know what you mean by "splitting" your IP pool. In this case without running your own ARIN registed IP pool using BGP with your 2 ISPs, you would have 2 IP pools with one from each ISP. I'm not even sure how you set up your IP scheme. Since your PIX515 only has 2 interfaces, it cannot run two public IP schemes unless you trunk (802.1q tagging) the PIX into the 3550 so that it can have 2 virtual VLAN interfaces on the outside. You generally want to run the external IPs and NAT on the PIX. Then instead of running HSRP on the 2610s, you would run OSPF between the 2610s and the PIX515. The "primary" 2610 could advertise 0.0.0.0/0 to the PIX515 and a static route 0.0.0.0/0 on the PIX could point to the second 2610 with a higher metric than the first 2610's OSPF route. However, it is questionable on how effective this will be since only a hard failure on the primary 2610 or failure on the 2610's internal interface would cause the failover. You could manually or script something to shut down that interface if the first ISP stopped working, but that would be clunky.
The cleanest way to ultimately do this is to use BGP for inbound and outbound redundancy. It provides a much more intelligent failover mechanism and the other bennefit is that you would get some level of load ballancing for inbound and outbound because your traffic will look for the closest BGP route to and from each IP destination. One catch, the device(s) running BGP facing the Internet would have to contain the routing table for the entire Internet. I doubt you can run BGP on the 2610 routers since they don't have enough memory. You might be able to upgrade the RAM on the 3550 if it is running Enhanced IOS.
George Ou
Network Systems Architect
Get more powerful articles and tools from my webpage
The cleanest way to ultimately do this is to use BGP for inbound and outbound redundancy. It provides a much more intelligent failover mechanism and the other bennefit is that you would get some level of load ballancing for inbound and outbound because your traffic will look for the closest BGP route to and from each IP destination. One catch, the device(s) running BGP facing the Internet would have to contain the routing table for the entire Internet. I doubt you can run BGP on the 2610 routers since they don't have enough memory. You might be able to upgrade the RAM on the 3550 if it is running Enhanced IOS.
George Ou
Network Systems Architect
Get more powerful articles and tools from my webpage
- Thread starter
- #6
Thanks for the advice. Even though I have 2 T1s, they are from that same provider. I'm thinking about just having them reconfigured so that they are redundant instead of each haveing unique traffic and subnets. That should make things easier. I don't really know why they configured seperately to begin with. By the way, I've enjoyed some of the articles posted on your website. Thanks for the link.
Tim
Tim
Hey thanks,
Yeah, that is strange. You would have thought that they would configure a multi-link between the 2 T1s so that it would be seen as a single IP interface. Now if you're willing to pay for 2 T1s, why not use a different ISP for the second T1? That would give you much better diversity, although setting up an AS and BGP is much more complex but well worth the effort.
George Ou
Network Systems Architect
Get more powerful articles and tools from my webpage
Yeah, that is strange. You would have thought that they would configure a multi-link between the 2 T1s so that it would be seen as a single IP interface. Now if you're willing to pay for 2 T1s, why not use a different ISP for the second T1? That would give you much better diversity, although setting up an AS and BGP is much more complex but well worth the effort.
George Ou
Network Systems Architect
Get more powerful articles and tools from my webpage
- Status
Similar threads
- Locked
- Question