From: Wolfkiel Albert L PHCA (WolfkielAL@phdnswc.navy.mil)
Date: Wed Sep 18 2002 - 17:53:26 GMT-3
If I may, I'd like to get two questions answered that have been bothering
me.
1. If you do the dual NAT pools described below with equal cost load
balancing, does the PIX and/or Router load balance on a per flow basis (w/o
NAT it is per packet... bad).
2. I'd like to do this in my environment with a single 2621. However, in
both cases there are other devices between the 2621 and the Internet. What
method do I use to get the router to determine when the circuit is down? The
2621 will always see the interface as up even though the Internet may be
unreachable through that interface.
Thanks,
Albert
-----Original Message-----
From: gary.quinn@us.didata.com [mailto:gary.quinn@us.didata.com]
Sent: Monday, September 16, 2002 7:44
To: DHSTS68@dhs.state.il.us; ni36ne@hotmail.com; cchurch@MAGNACOM.com
Cc: ccielab@groupstudy.com; security@groupstudy.com
Subject: RE: Pix with Two ISP
something we've done for this is have two ISP network ranges (one from each
ISP) and configure two NAT pools on the PIX each to correspond with the
respective ISP-assigned Net ranges. The PIX will load balance between the
two NAT pools for clients on the way out.
On the way out the PIX pitches it to the HSRP address of the Internet facing
routers. Those routers are then configured for policy routing to route
based on the source address. That way ISP A's net address goes out ISP A,
the same for B. Inversely the return traffic is preferred to come through A
or B and will be the better performing.
But you still have the peering agreement so that ISP A's assigned Net range
is advertised to ISP B and vice versa for the redundancy. But with this
design you don't have to take the full Internet routing table but it gives
the optimal performance anyway.
Just another way to skin a cat.
-----Original Message-----
From: DAN DORTON
To: ni36ne@hotmail.com; cchurch@MAGNACOM.com
Cc: ccielab@groupstudy.com; security@groupstudy.com
Sent: 9/16/2002 9:37 AM
Subject: RE: Pix with Two ISP
You could also run BGP & only take local provider routes from each ISP.
Use 0/0 routes to catch the rest in each with a better administrative
metric at the primary.
Run HSRP between the two routers & have the PIX send all outside
traffic to the Virtual IP.
Have an ethernet connection between the two routers with a crossover &
peer between them.
Make sure you filter well to avoid becoming a transit AS.
The traffic will follow more specific routes from each provider from
the primary router & any other traffic will follow the default, if the
primary dies then the secondary will take over & all traffic will be
routed that way.
I have setup a few this way & it seems to work well as long as you use
large providers. IE: ATT, SBC...
>>> Chuck Church <cchurch@MAGNACOM.com> 09/16/02 07:57AM >>>
Are you running BGP to the two ISPs? If not, I assume you've got 2
separate
address ranges given to you by the ISPs. If so, I assume you're NATing
on
the routers rather than the PIX. What you could do is create 2 static
routes on the Pix, one for 0.0.0.0/1 pointing to router 1, and
128.0.0.0/1,
pointing to router 2. A floating static 0/0 route on each router
pointing
to the other should then take care of a loss of a circuit. It won't be
perfect load balancing, but it's close. You can always fine tune the
static
routes on the PIX to balance a little more.
Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
nitin
Sent: Monday, September 16, 2002 3:39 AM
To: Reinhold.Fischer@gmx.net
Cc: ccielab@groupstudy.com; security@groupstudy.com
Subject: Re: Pix with Two ISP
Hi,
What if i dont require load balancing, and half network traffic should
go
through router A and half through router B. Default gateway will be
Pix.
But if any one of the router goes down, other router should take the
traffic.
Regards
Nitin
----- Original Message -----
From: "Reinhold Fischer" <rfischer@flexnetworks.de>
To: "nitin" <ni36ne@hotmail.com>
Cc: <ccielab@groupstudy.com>; <security@groupstudy.com>
Sent: Monday, September 16, 2002 12:31 PM
Subject: Re: Pix with Two ISP
> Hello Nitin,
>
> there is probably more than one way to solve this problem.
>
> For the load balancing part you usually need to have BGP with full
> internet routing tables on your routers with your own AS and own
> ip address space.
>
> To achive the redundancy i would use HSRP between the two routers to
> provide a redundant default gateway for the PIX. There may be a bit
> suboptimal routing in some cases when traffic gets sent to the
> active HSRP router which decides then due to its better topology
> knowledge through bgp that the traffic should better go over the
> other router. As long as you have the requirement to do
loadbalancing
> between the ISP's there is no way to get around this because you
> don't want try to give the pix a full routing table with RIP ;-)
>
> The PIX itself and the switch between the PIX and the routers would
> still be a single point of failure except you go for a cluster of
> two there.
>
> ISP-A ISP-B
> | |
> | WAN | WAN
> | eBGP | eBGP
> | iBGP |
> Router1-----------------Router2
> | back2back FE |
> | |
> | |
> | <------HSRP------> |
> +---------+ +---------+
> | |
> Switch
> |
> Pix
>
> The direct back2back ethernet between the routers may not be
necessary
> in all cases but it helps to provide the redundancy and avoids
sending
> the traffic two times over the same wire as it would happen in the
> case of subobtimal routing as described above.
>
>
> cheers !
>
> Reinhold
>
> On Mon, 16 Sep 2002, nitin wrote:
>
> > Hi,
> > I want to setup a Pix firewall on the network where i have two
different ISP
> > connections with two routers, I want users on the network should
access
> > internet from the two ISP's in load balancing and redundant
fashion. Can
any
> > one suggest how do i configure firewall for this setup.
> > Any one has done this kind of setup?? sample configuration would
be
> > appreciated..
> >
> > Thanks in advance
> >
> > Nitin Sahane
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:56 GMT-3