[c-nsp] PIX 506E handling multiple public networks

Shakeel Ahmad shakeelahmad at gmail.com
Thu Jan 11 04:31:19 EST 2007


My answer would be NO ! as this seems to be requiring policy routing -
(incoming traffic coming from 2nd ISP goes out of 2nd ISP) which is not
supported on PIX (till what i know)


If a customer request comes from 2nd ISP and default route is via 1st ISP.
Reply for the traffic will be going out of 1st ISP and if ISP have good
security applied like RPF checks on client end, they would not allow that
traffic to transit from their network.

What may be the solution ? mm if you can run PIX in three different contexts
(for 3 providers) and in routed mode abviously..and then each context can
deal with its own traffic...

this is what i think of but someone may add more here...

Shakeel


On 1/10/07, Daniel Lacey <daniel_p_lacey at yahoo.com> wrote:
>
> Dear Sirs,
>
> I have a PIX 506E running 6.3(4)
>
> I would like to handle multiple public IP networks through the PIX, if
> that is even possible.
> I will use fictitious addresses to make it simple.
>
> The current setup is pretty simple. The PIX (outside) interface is on a
> subnet with the ISP.
> The (inside) interface is connected to a 24 port catalyst 10/100 switch.
> (2900 something).
> The current setup statically NATs public to private IP addresses,
> limiting traffic to a handful of well known TCP ports to access WWW and
> some administrative ports.
>
> ISP Router <=======>   PIX (outside) (inside)   <====> Catalyst
> 1.0.0.1/28             1.0.0.2/28    192.168.0.1        All nodes on
> 192.168.0.0/24
>
> Now we would like to ramp up.
>
> Behind the PIX would be a virtual web server farm of potentially 1200+
> websites that will have individual public IP addresses.
> These will be on more than one public IP block of addresses.
> We  want to keep the current /28, add a /23, then add another /2X, etc.
> The additional networks will be statically routed from the ISP over the
> existing link.
> There will be very little traffic for such a large number of nodes, but
> there is about 35Mbit of bandwidth currently available.
>
> My question is:
> Can I use the existing PIX to somehow make this work?
>
> Any suggestions are welcome!
>
> Thanks,
> Dan
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list