Thanks, Richard. I think for us the best solution is to route both edge routers through the pix and use RIP to keep everyone happy. Static routes are a consideration, but I2 tends to be pretty dynamic and there are a lot of sloppy routes out there (obviously) so I think that would be a losing battle.
As I'm not up to speed with OSPF, how would that help me here? I had also heard that OSPF was being introduced in 6.3 J "Imagination is more important than knowledge" Albert Einstein -----Original Message----- From: Richard Deal [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 11:27 AM To: [EMAIL PROTECTED] Subject: ARe: PIX and asymmetry [7:62100] Jamie, Not quite...what you can do, however, is have all traffic go through one PIX and have another PIX as a failover. In this scenario, if one PIX would fail, the other could kick in--in this scenario, only one PIX is active. Of course, this still presents a problem of an exit path--by default, the active PIX would choose its defalt route and thus you would lose load balancing out your two exit points. The PIX does support passive RIP, so this might help. Or you could configure static routes...but you would, unfortuantely, not have any ability to route based on the source of the address--only your Cisco routers have this ability. And perhaps in the upcoming 6.3 release, OSPF might be introducted (--might--), but don't hold your breath. Hope this helps! Cheers! -- Richard A. Deal Visit my home page at http://home.cfl.rr.com/dealgroup/ Author of Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep, CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam Cram Cisco Test Prep author for QuizWare, providing the most comprehensive Cisco exams on the market. ""Arnold, Jamie"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I have a situation that I hope some of you might shed some light on. > We have 2 points of ingress to our campus. One OC3 (Nycernet) for internet 2 > and one (Time Warner) Our commodity edge consists of a 7200 router then > the PIX. The I2 edge is just a 7200 series router. Our problem is > that with certain sites, traffic going out on the I2 OC3 is returning > via our commodity OC3 and the pix drops it as it didn't see it > originating on the inside (syn-ack without syn) I recognize that the > bigger problem may be with the way these sites are being routed back > to us, but I have little control over that for now. Both edge routers > use BGP for updates. I'm looking for a solution. Can I install > another PIX on the OC3 side and somehow have the 2 PIX boxes talk to > each other and update each others Xlate > tables? > > Any suggestions would be appreciated > > Thanks > > Jamie Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62123&t=62100 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
