Home > IT Answers > Security > We have an internet connection from 2 differe...
Help

Question

  Asked: Jul 21 2008   6:02 AM GMT
  Asked by: Yasirirfan

We have an internet connection from 2 different ISP, I want to use the same PIX 525 firewall 7.0(6)


PIX 525, ISP, Routing, Network architecture, NAT, Ethernet, Network connectivity, ISA Server, Routers, Firewalls

We have an internet connection from 2 different ISP, I want to use the same PIX 525 firewall 7.0(6) .

My firewall has 2 Ethernet interface & 2 Giga Ethernet interfaces.
I am using
ethernet 0 for outside connection with ISP A
ethernet 1 for outside2 connection with ISP B
Giga Ethernet 0 for DMZ zone
Giga Ethernet 1 for Inside connected to LAN.

I have 2 ISA servers i want to connect both of them in the DZM zone. One conneteced to ISP A and other to ISP B

The ISA connected to ISA A is working fine and no problem
But I am facing a problem with ISA connected to ISP B.

When I see the xlate there is NAT going on but it not at all working any clues why its not working attached is my configuration.


KFSHVPN# sho run
: Saved
:
PIX Version 7.0(6)
!
hostname KFSHVPN
domain-name kfsh.med.sa
enable password jDUXMyqeIzxQIVgK encrypted
names
dns-guard
!
interface Ethernet0
description CON2-INTERNET
nameif outside
security-level 0
ip address 212.x.x.146 255.255.255.240
!
interface Ethernet1
description CON2 AWAL
nameif outside2
security-level 0
ip address 78.x.x.194 255.255.255.248
!
interface GigabitEthernet0
description DMZ
nameif dmz
security-level 10
ip address 172.16.31.1 255.255.255.0
!
interface GigabitEthernet1
description CON2 -Inside
nameif inside
security-level 100
ip address 10.0.0.3 255.255.248.0
!

ftp mode passive
dns domain-lookup outside
dns domain-lookup outside2
dns name-server 212.x.x.2
dns name-server 212.x.x.3
dns name-server 212.x.x.5
dns name-server 212.x.x.4
access-list ISA extended permit tcp any host 212.x.x.151 eq pptp
access-list ISA extended permit gre any host 212.x.x.151
access-list ISA extended permit icmp any any echo-reply
access-list ISA extended permit icmp any any time-exceeded
access-list ISA extended permit icmp any any unreachable
access-list ISA extended permit udp any host 212.x.x.155 eq 9996
access-list ISA extended permit tcp any host 212.x.x.155 eq www
access-list ISA extended permit tcp any host 212.x.x.155 eq 8080
access-list ISA extended permit udp any host 212.x.x.155 eq biff
access-list ISA extended permit tcp any host 212.x.x.155 eq 8500
access-list ISA extended permit tcp any host 212.x.x.155 eq 8600
access-list IN2OUT extended permit udp any host 212.x.x.155 eq 9996
access-list IN2OUT extended permit tcp any host 212.x.x.155 eq www
access-list IN2OUT extended permit tcp any host 212.x.x.155 eq 8080
access-list IN2OUT extended permit udp any host 212.x.x.155 eq biff
access-list IN2OUT extended permit tcp any host 212.x.x.155 eq 8500
access-list IN2OUT extended permit tcp any host 212.x.x.155 eq 8600
access-list IN2OUT extended permit tcp any host 212.x.x.155 eq 8700
access-list IN2OUT extended permit ip any any
access-list IN2OUT extended permit icmp any any echo-reply
access-list IN2OUT extended permit icmp any any time-exceeded
access-list IN2OUT extended permit icmp any any unreachable
access-list IN2OUT extended permit udp any any eq snmp
access-list IN2OUT extended permit udp any any eq 9996
access-list IN2OUT extended permit tcp any any eq www
access-list IN2OUT extended permit tcp any any eq pop3
access-list IN2OUT extended permit tcp any any
pager lines 24
mtu outside 1500
mtu outside2 1500
mtu dmz 1500
mtu inside 1500
no failover
no asdm history enable
arp timeout 14400
global (outside) 2 212.x.x.156 netmask 255.255.255.240
nat (inside) 2 10.0.0.0 255.255.255.240
nat (inside) 2 10.20.0.0 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 212.x.x.155 10.0.0.6 netmask 255.255.255.255 dns
static (dmz,outside) 212.x.x.151 172.16.31.3 netmask 255.255.255.255 dns
static (dmz,outside2) 78.93.12.197 172.16.31.4 netmask 255.255.255.255 dns
access-group ISA in interface outside
access-group IN2OUT in interface inside
route outside 0.0.0.0 0.0.0.0 212.12.181.145 1
route inside 10.0.0.0 255.0.0.0 10.0.0.10 1

http server enable
http 10.0.0.6 255.255.255.255 inside
http 10.0.0.2 255.255.255.255 inside
snmp-server host inside 10.0.0.1 community xxx
snmp-server host inside 10.0.0.2 community xxx
snmp-server host inside 10.0.0.5 community xxx
snmp-server host inside 10.0.0.6 community xxx
snmp-server host inside 10.0.0.8 community xxx
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 173.16.31.3 255.255.255.255 dmz
telnet 172.16.31.4 255.255.255.255 dmz
telnet 10.0.0.6 255.255.255.255 inside
telnet 10.0.0.4 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!

KFSHVPN#

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window
Help

Answer Wiki (Improve, edit or add to this answer)

IMPROVE THIS ANSWER
View History
 RATE THIS ANSWER
+1
Click to Vote:
  •   1
  •  0
Last Answered: Jul 23 2008  2:55 PM GMT  by Peterp


Latest Contributors: The0men77


I would think this is possibly a routing issue.

route outside 0.0.0.0 0.0.0.0 212.12.181.145 1


I can see you have NAT'd both interfaces using the relevant IP blocks from your providers, however you are routing all traffic to provider IP 212.12.181.145.

This provider may be dropping the traffic from the 78.93.12.197 as possible IP spoofing.


Just a thought.


Adding some information to the above answer.

Your default route points to ISPA so no traffic will be routed to ISPB. You might be able to configure a 2nd default route with a higher admin distance pointing at ISPB Something like this;

route outside2 0.0.0.0 0.0.0.0 78.x.x.x 10

I haven't tried this on a pix but it should work. The effect would be all traffic would take ISPA until the interface to ISPA went down, at that time all traffic would take ISPB. You would also have to configure NAT properly for each outside interface.

If you want something more advanced, like distributing traffic load across both ISPs at the same time you'll need to get a router and connect your ISPs to it instead of the pix.
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Security and Networking.

Looking for relevant Security Whitepapers? Visit the SearchSecurity.com Research Library.


RSS - Discussions Help

Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register