We have an internet connection from 2 different ISP, I want to use the same PIX 525 firewall 7.0(6)

5550 pts.
Tags:
Ethernet
Firewalls
ISA Server
ISP
NAT
Network architecture
Network connectivity
PIX 525
Routers
Routing
We have an internet connection from 2 different ISP, I want to use the same PIX 525 firewall 7.0(6) . My firewall has 2 Ethernet interface & 2 Giga Ethernet interfaces. I am using ethernet 0 for outside connection with ISP A ethernet 1 for outside2 connection with ISP B Giga Ethernet 0 for DMZ zone Giga Ethernet 1 for Inside connected to LAN. I have 2 ISA servers i want to connect both of them in the DZM zone. One conneteced to ISP A and other to ISP B The ISA connected to ISA A is working fine and no problem But I am facing a problem with ISA connected to ISP B. When I see the xlate there is NAT going on but it not at all working any clues why its not working attached is my configuration. KFSHVPN# sho run : Saved : PIX Version 7.0(6) ! hostname KFSHVPN domain-name kfsh.med.sa enable password jDUXMyqeIzxQIVgK encrypted names dns-guard ! interface Ethernet0 description CON2-INTERNET nameif outside security-level 0 ip address 212.x.x.146 255.255.255.240 ! interface Ethernet1 description CON2 AWAL nameif outside2 security-level 0 ip address 78.x.x.194 255.255.255.248 ! interface GigabitEthernet0 description DMZ nameif dmz security-level 10 ip address 172.16.31.1 255.255.255.0 ! interface GigabitEthernet1 description CON2 -Inside nameif inside security-level 100 ip address 10.0.0.3 255.255.248.0 ! ftp mode passive dns domain-lookup outside dns domain-lookup outside2 dns name-server 212.x.x.2 dns name-server 212.x.x.3 dns name-server 212.x.x.5 dns name-server 212.x.x.4 access-list ISA extended permit tcp any host 212.x.x.151 eq pptp access-list ISA extended permit gre any host 212.x.x.151 access-list ISA extended permit icmp any any echo-reply access-list ISA extended permit icmp any any time-exceeded access-list ISA extended permit icmp any any unreachable access-list ISA extended permit udp any host 212.x.x.155 eq 9996 access-list ISA extended permit tcp any host 212.x.x.155 eq www access-list ISA extended permit tcp any host 212.x.x.155 eq 8080 access-list ISA extended permit udp any host 212.x.x.155 eq biff access-list ISA extended permit tcp any host 212.x.x.155 eq 8500 access-list ISA extended permit tcp any host 212.x.x.155 eq 8600 access-list IN2OUT extended permit udp any host 212.x.x.155 eq 9996 access-list IN2OUT extended permit tcp any host 212.x.x.155 eq www access-list IN2OUT extended permit tcp any host 212.x.x.155 eq 8080 access-list IN2OUT extended permit udp any host 212.x.x.155 eq biff access-list IN2OUT extended permit tcp any host 212.x.x.155 eq 8500 access-list IN2OUT extended permit tcp any host 212.x.x.155 eq 8600 access-list IN2OUT extended permit tcp any host 212.x.x.155 eq 8700 access-list IN2OUT extended permit ip any any access-list IN2OUT extended permit icmp any any echo-reply access-list IN2OUT extended permit icmp any any time-exceeded access-list IN2OUT extended permit icmp any any unreachable access-list IN2OUT extended permit udp any any eq snmp access-list IN2OUT extended permit udp any any eq 9996 access-list IN2OUT extended permit tcp any any eq www access-list IN2OUT extended permit tcp any any eq pop3 access-list IN2OUT extended permit tcp any any pager lines 24 mtu outside 1500 mtu outside2 1500 mtu dmz 1500 mtu inside 1500 no failover no asdm history enable arp timeout 14400 global (outside) 2 212.x.x.156 netmask 255.255.255.240 nat (inside) 2 10.0.0.0 255.255.255.240 nat (inside) 2 10.20.0.0 255.255.255.240 nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) 212.x.x.155 10.0.0.6 netmask 255.255.255.255 dns static (dmz,outside) 212.x.x.151 172.16.31.3 netmask 255.255.255.255 dns static (dmz,outside2) 78.93.12.197 172.16.31.4 netmask 255.255.255.255 dns access-group ISA in interface outside access-group IN2OUT in interface inside route outside 0.0.0.0 0.0.0.0 212.12.181.145 1 route inside 10.0.0.0 255.0.0.0 10.0.0.10 1 http server enable http 10.0.0.6 255.255.255.255 inside http 10.0.0.2 255.255.255.255 inside snmp-server host inside 10.0.0.1 community xxx snmp-server host inside 10.0.0.2 community xxx snmp-server host inside 10.0.0.5 community xxx snmp-server host inside 10.0.0.6 community xxx snmp-server host inside 10.0.0.8 community xxx no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 173.16.31.3 255.255.255.255 dmz telnet 172.16.31.4 255.255.255.255 dmz telnet 10.0.0.6 255.255.255.255 inside telnet 10.0.0.4 255.255.255.255 inside telnet timeout 5 ssh timeout 5 console timeout 0 ! KFSHVPN#

Answer Wiki

Thanks. We'll let you know when a new response is added.

I would think this is possibly a routing issue.

route outside 0.0.0.0 0.0.0.0 212.12.181.145 1

I can see you have NAT’d both interfaces using the relevant IP blocks from your providers, however you are routing all traffic to provider IP 212.12.181.145.

This provider may be dropping the traffic from the 78.93.12.197 as possible IP spoofing.

Just a thought.

Adding some information to the above answer.

Your default route points to ISPA so no traffic will be routed to ISPB. You might be able to configure a 2nd default route with a higher admin distance pointing at ISPB Something like this;

route outside2 0.0.0.0 0.0.0.0 78.x.x.x 10

I haven’t tried this on a pix but it should work. The effect would be all traffic would take ISPA until the interface to ISPA went down, at that time all traffic would take ISPB. You would also have to configure NAT properly for each outside interface.

If you want something more advanced, like distributing traffic load across both ISPs at the same time you’ll need to get a router and connect your ISPs to it instead of the pix.

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following