Re: [fw-wiz] PIX Dual line Internet HDSL and ADSL
From: Brian Loe (knobdy_at_gmail.com)
To: email@example.com Date: Wed, 2 Nov 2005 13:24:43 -0600
I have a question about that. We too have two ISPs. When introduced to
our network here they explained that the one ISP provided a route to
the other for redundancy. I had questions, but I didn't question him.
The two internet routers are configured with HSRP addresses to talk to
However, now that I've set up CACTI on a box here and pointed it at
our outside interfaces it's obvious that they're definately NOT doing
any kind of load balancing for our connection and ONLY serving as what
we hope is a redundant link. Now my questions are: since our public IP
addresses are going to be routed to the primary ISP first, is it even
possible to span both connections? Does this setup only work for
failover? Finally, and maybe I'm just not thinking this through
enough, since the secondary link does show some traffic out, how do
those connections make it back? If they go out the secondary router
they'll be headed back in the primary wouldn't they?
I know very little to nothing at all about HSRP, just so you all know.
On 11/1/05, Daniel Linder <firstname.lastname@example.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> On Mon, October 24, 2005 04:48, Felice Gaiba wrote:
> > My name is Felix,
> > I have a problem, I possible configure a PIX 515 for this configuration?
> [ASCII picture removed...]
> > Is necessary for me using Internet 1 Router if Internet 2 Router or Line
> > is down and viceversa.....
> > And, certain PC exit from Internet 2 and another from internet 1.
> > The Software in a PIX is Version 6.3
> Your basic setup is that you have two Cisco routers, each connected to
> their own Internet connection, and a Cisco PIX firewall. Your drawing has
> the "inside" interface of each Cisco router going to a different port on the
> PIX firewall -- this will make things much more difficult to setup since
> those two interfaces will have two different security levels.
> My first thought is to put the two routers and the Pix outside port into a
> single switch and configure HSRP and BGP (IBGP?) between the two routers.
> This will allow the PIX to use the HSRP address to get out, regardless of
> the actual state of either router. Furthermore, BGP can then be configured
> to watch the Internet links status and when one goes down it will remove the
> affected routes from the shared routing table.
> It's been a while since I have had to set this up, and the size of your
> routers and/or your ISPs features might be a limiting factor for the BGP
> setup. HSRP should be configurable on nearly any Cisco router from what I
> - - - - -
> "Wait for that wisest of all counselors, time." -- Pericles
> "I do not fear computer, I fear the lack of them." -- Isaac Asimov
> GPG fingerprint:6FFD DB94 7B96 0FD8 EADF 2EE0 B2B0 CC47 4FDE 9B68
> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux)
> LPRzgZYoUbwqg0Q4dn71i8k= =APsp -----END PGP SIGNATURE-----
firewall-wizards mailing list