Re: PIX question

From: David Ankers (d.ankers@xxxxxxxxxxxxxx)
Date: Mon Sep 11 2000 - 19:44:55 GMT-3

• Next message: John Conzone: "Re: Lane without LECS part......(I lost track)"
• Previous message: Mike Bernico: "RE: ubr+ vs. abr"
• Maybe in reply to: Maljure, Sanjay: "PIX question"
• Next in thread: Richard Mott: "Re: PIX question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
>From the PIX FAQ:

Q. Can I connect two different ISPs to my Cisco Secure PIX Firewall?

A. Yes. However, this setup will require an additional gateway router. The
Cisco Secure PIX Firewall was designed to only handle one default route.
Connecting two ISPs to a single Cisco Secure PIX Firewall means that the
Cisco Secure PIX Firewall would need to make routing decisions at a much
more intelligent level. By using a gateway router, the PIX continues to send
all of its traffic to one router. That router can then route/load balance
between the two ISPs.

Hope this helps......

Dave.

----- Original Message -----
From: "Asbjorn Hojmark" <Asbjorn@Hojmark.ORG>
To: <smaljure@cibernetworks.com>
Cc: <ccielab@groupstudy.com>
Sent: Monday, September 11, 2000 11:55 PM
Subject: RE: PIX question

> >>> I need to be able to load-balance across two ISPs. I was
> >>> wondering if there is a way we could set two default routes
> >>> on a PIX and have the PIX load-balance outgoing traffic.
>
> >> No, a PIX will not allow you to do that.
>
> > I found out that PIX will basically not allow two equal cost
> > static routes to the same network or 0/0
>
> ACK.
>
> > However, what if I get the PIX to run RIP? Will it accept
> > multiple "RIP-advertised defaults" and install them in the
> > routing table?
>
> No, a PIX will not install two default routes, static or RIP.
> I've tried this in the lab and it didn't work.
>
> Come to think of it, I guess you could let both routers run
> RIP, filter what they announce to the PIX and load-balance
> based on that. A static default should take care of the rest
> (and failure scenarios) and you could next hop it to a HSRP
> address shared by the routers. I haven't tried this myself,
> however, and you still wouldn't get inbound load-balancing.
>
> FWIW,
> -A
> --
> Heroes: Vint Cerf & Bob Kahn, Leonard Kleinrock, Robert Metcalfe
> Links : http://www.hojmark.org/networking/
>
>

• Next message: John Conzone: "Re: Lane without LECS part......(I lost track)"
• Previous message: Mike Bernico: "RE: ubr+ vs. abr"
• Maybe in reply to: Maljure, Sanjay: "PIX question"
• Next in thread: Richard Mott: "Re: PIX question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:55 GMT-3