------=_20051101103231_68437
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Mon, October 24, 2005 04:48, Felice Gaiba wrote:

> My name is Felix,


> I have a problem, I possible configure a PIX 515 for this

configuration?

[ASCII picture removed...]

> Is necessary for me using Internet 1 Router if Internet 2 Router or

Line

> is down and viceversa.....


> And, certain PC exit from Internet 2 and another from internet 1.


> The Software in a PIX is Version 6.3




Your basic setup is that you have two Cisco routers, each connected to
their own Internet connection, and a Cisco PIX firewall.* Your
drawing has the "inside" interface of each Cisco router going to
a different port on the PIX firewall -- this will make things much more
difficult to setup since those two interfaces will have two different
security levels.



My first thought is to put the two routers and the Pix outside port into a
single switch and configure HSRP and BGP (IBGP?) between the two
routers.* This will allow the PIX to use the HSRP address to get out,
regardless of the actual state of either router.* Furthermore, BGP
can then be configured to watch the Internet links status and when one
goes down it will remove the affected routes from the shared routing
table.



It's been a while since I have had to set this up, and the size of your
routers and/or your ISPs features might be a limiting factor for the BGP
setup.* HSRP should be configurable on nearly any Cisco router from
what I remember.



Dan



- - - - -

"Wait for that wisest of all counselors, time." -- Pericles

"I do not fear computer, I fear the lack of them." -- Isaac
Asimov

GPG fingerprint:6FFD DB94 7B96 0FD8 EADF 2EE0 B2B0 CC47 4FDE 9B68

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDZ5iesrDMR0/em2gRAnzyAKCqeEmHwo0vHwa+CTr+HyWSKdyU1ACgvvIc
LPRzgZYoUbwqg0Q4dn71i8k=
=APsp
-----END PGP SIGNATURE-----
------=_20051101103231_68437
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Mon, October 24, 2005 04:48, Felice Gaiba wrote:

> My name is Felix,

> I have a problem, I possible configure a PIX 515 for this
configuration?

[ASCII picture removed...]

> Is necessary for me using Internet 1 Router if Internet 2 Router or
Line

> is down and viceversa.....

> And, certain PC exit from Internet 2 and another from internet 1.

> The Software in a PIX is Version 6.3



Your basic setup is that you have two Cisco routers, each connected to
their own Internet connection, and a Cisco PIX firewall.  Your
drawing has the "inside" interface of each Cisco router going to
a different port on the PIX firewall -- this will make things much more
difficult to setup since those two interfaces will have two different
security levels.



My first thought is to put the two routers and the Pix outside port into a
single switch and configure HSRP and BGP (IBGP?) between the two
routers.  This will allow the PIX to use the HSRP address to get out,
regardless of the actual state of either router.  Furthermore, BGP
can then be configured to watch the Internet links status and when one
goes down it will remove the affected routes from the shared routing
table.



It's been a while since I have had to set this up, and the size of your
routers and/or your ISPs features might be a limiting factor for the BGP
setup.  HSRP should be configurable on nearly any Cisco router from
what I remember.



Dan



- - - - -

"Wait for that wisest of all counselors, time." -- Pericles

"I do not fear computer, I fear the lack of them." -- Isaac
Asimov

GPG fingerprint:6FFD DB94 7B96 0FD8 EADF 2EE0 B2B0 CC47 4FDE 9B68

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDZ5iesrDMR0/em2gRAnzyAKCqeEmHwo0vHwa+CTr+HyWSKdyU1ACgvvIc
LPRzgZYoUbwqg0Q4dn71i8k=
=APsp
-----END PGP SIGNATURE-----
------=_20051101103231_68437--


_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards