cisco pix route traffic through 2 interfaces

15 pts.
Tags:
Cisco PIX
Firewalls
PIX
Hi, I have a Cisco Pix which currently has an internal, dmz and outside interface. My outside is my default route, however I have now got another connection to the internet that I would like to route some outside bound traffic through. I can set up a static route to do this however will need the traffic to be natted through the new outside interfaces ip. Is this possible? eg. Existing outside 80.x.x.x (also my default route), inside network (172.20.x.x), dmz (172.16.x.x), new outside 89.x.x.x I would like traffic from the 172.20 range to go to 200.x.x.x via the new 89.x.x.x interface

Answer Wiki

Thanks. We'll let you know when a new response is added.

You could probably accomplish this with a PIX— but it will be <i>Gimpy</i> at best. I say that assuming you are offering NO external services on this interface… or to the 200.x.x.x network. Meaning no one from the outside world uses this connection to connect to services on your network and that no one on teh 200.x.x.x internet segment connects or uses these services..

You could create a NAT translation for the specific range of internal addresses you want to use the new connection. AND/OR create a global NAT for the new interface and set a route for the 200.x.x.x range to use the new interface.

It sounds like you want all traffic destined to 200.x.x.x to go out this new interface rather than the old one, which would require you to create a NAT for the interface (either global or a pool for specific IPs) and then set a route for the pix to deliver traffic destines to 200.x.x.x out this new interface.

If you wanted to split your network into two sections you could say traffic from the DMZ goes out one interface/ISP and traffic from the regular network goes out the other, again potentially via NAT addresses and routes. However this last one would be gimpy and could potentially create you problems if you offered services of some type on multiple segments of your network.

The more standard way to do this, if you offered servcies (http, https, ftp, etc) would be to have your own IP space and enter into a BGP partner relation ship moung the two ISP’s to route traffic to you over their connections. However, this generally requires more anvanced hardware at the router than the PIX or even the new ASA line can handle on their own.

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following