Given that you have a 3rd interface in your PIX that isn't being used, you
should be able to do it - presuming that traffic from your new ISP comes in
a separate interface (or router). Bear in mind I haven't done it myself.
However, I do successfully use different public IP's (from different
interfaces) homed to the same internal host in my network on my production
PIX.
Here's a suggestion config that comes to mind (using DMZ1 as interface
name):
-------------------------------
nameif ethernet0 outside security100
nameif ethernet1 outside security0
nameif ethernet2 dmz1 security50
ip address outside 38.168.115.180 255.255.255.0
ip address inside 192.168.x.x 255.255.255.0
ip address dmz1 64.107.193.x 255.255.255.0
global (outside) 1 38.168.115.160-38.168.115.179
nat (inside) 1 192.168.x.x 255.255.255.0
static (inside,outside) 38.168.115.174 192.168.0.174 netmask 255.255.255.255
0 0
static (inside,dmz1) 64.107.193.y 192.168.0.174 netmask 255.255.255.255 0 0
access-list acl_outside permit tcp any 38.168.115.174 eq www
access-list acl_dmz1 permit tcp any 64.107.193.y eq www
access-group acl_outside in interface outside
access-group acl_dmz1 in interface dmz1
route outside 0.0.0.0 0.0.0.0 38.168.114.1 1
route dmz1 0.0.0.0 0.0.0.0 64.107.193.z 1
--------------------------------
I refer access lists rather than conduits (they're becoming obsolete...
notice the thread going around about converting conduits to access lists?).
There's no GLOBAL statement for the DMZ1 interface, so internal hosts won't
NAT out that interface.
Regards,
Shawn
> -----Original Message-----
> From: Harry Whitehouse [mailto:[EMAIL PROTECTED]]
> Sent: Monday, June 04, 2001 2:57 PM
> To: Firewall_List
> Subject: Configuring a PIX 520 to handle Multiple ISP's
>
>
> Hi All!
>
> We are making a transition between one ISP and another. We
> have routers for
> both ISP's now operational on our general network ("outside" the PIX
> firewall).
>
> Is it possible to configure the PIX to handle both ISP's during the
> transition period at the DNS servers? It is a very simple
> configuration --
> here are the lines which have the old ISP addresses:
>
> 1. ip address outside 38.168.115.180 255.255.255.0
>
> 2. global (outside) 1 38.168.115.160-38.168.115.179
>
> 3. static (inside,outside) 38.168.115.174 20.0.0.174 netmask
> 255.255.255.255
> 0 0
>
> 4. conduit permit tcp host 38.168.115.174 eq www any
>
> 5. route outside 0.0.0.0 0.0.0.0 38.168.114.1 1
>
>
> I *do* have three network cards in the PIX -- I'm currently
> only using two.
>
> I would *think* that I could add replicate configuration
> lines for 3 and 4.
> IOW, couldn't I add
>
> static (inside,outside) 65.107.103.174 20.0.0.174 netmask
> 255.255.255.255 0 0
> conduit permit tcp host 65.107.103.174 eq www any
>
> and have these coexist with the 38.168.115.174 statements?
>
> I'm more concerned with items 1, 2 an 5. But perhaps I can
> leave them as is
> until the conversion is completed. For transaction
> originated from *within*
> our internal network, I'm happy to use the old ISP until the
> DNS conversion
> is complete. What I want to make sure is that folks from the
> outside can
> access my internal servers even though some would be routed
> to the "old" ISP
> address and others to the "new" ISP address while the new DNS
> information
> propagated throughout the www.
>
> Can anyone give me some insight on this?
>
> TIA
>
> Harry
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
