You can have two outside networks...the statics and access-lists will have
to be duplicated for each network which can make for a longer config. You
will run into problems with the routing...one pipe will have to be a default
outbound. And you have to do some "nasty" when it comes to inbound
connections:
202.x.x.x 0.0.0.0
SPRINT ----------\ /---------\
Router Pix -----------Inside
UUNET-----------/ \----------/
61.x.x.x 10.0.0.0
We had to keep our networks seperate (206 and 63) for some time because of a
previous design flaw. For inbound connections, as the traffic came from the
UUNet pipe, the source address was changed to 10.x.x.x at the router and if
it came from Sprint the source was left alone. You have to do this or all
response traffic will not take same path out as it came in. The was also
hell when it came to any traffic studies (web site stats, sniffers, etc) You
can tell how much traffic came from the UUNet side, just could not tell a
source addess
Snippets of config:
access-list UUNET_Inbound permit tcp any host 61.1.1.1 eq www
access-list UUNET_Inbound permit tcp any host 61.1.1.1eq 443
access-list SPRINT_Inbound permit tcp any host 202.1.1.1 eq www
access-list SPRINT_Inbound permit tcp any host 202.1.1.1 eq 443
static (inside,SPRINT) 202.1.1.1 10.1.1.1 netmask 255.255.255.255
static (inside,UUNET) 61.1.1.1 10.1.1.1 netmask 255.255.255.255
route SPRINT 0.0.0.0 0.0.0.0 202.x.x.x 1
route UUNET 10.0.0.0 255.0.0.0 62.x.x.x 1
The router takes it from there....
Hope this helps,
Tony
""Tai Ngo"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi All,
>
> Can somebody tell me if this is possible? If so, please provide
> configuration details. We have 2 ISPs, one that is 204.23.23.x and the
> other is 205.23.23.x. We have 2 Pix firewalls, one which is configured
> for active with both outside interfaces. The other pix is configured as
> standby. Will the Pix firewall be smart enough to know how to route
> traffic back out the network it came from? For example, if a user came
> into our website from 204.23.23.x , will the Pix know how to route the
> info back out that interface instead of through the 205.23.23.x network?
>
>
> My guess is it's not possible because when you look at the configuration
> on the Pix, to route info outside, you would use "route 0.0.0.0
> 204.23.23.x 1" .
>
> Thanks!
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=6598&t=5349
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
