Comments inline:
> Shawn
>
> This looks very interesting! Thanks for sharing!
>
> >>Bear in mind I haven't done it myself.
> >>However, I do successfully use different public IP's (from different
> >>interfaces) homed to the same internal host in my network
> on my production
> >>PIX.
>
> I don't quite understand the above. It sounds like you *are*
> doing exactly
> what I need to do if you have two public IP's targeting the
> same internal
> hosts-- but you do it on a production basis rather than just in a
> transitional mode. I must be missing something!
Not exactly the same. I don't use multiple ISP's. I simply have internal
servers advertized on separate PIX interfaces using different public IP
addresses. The DMZ interface has bastion hosts hanging off that communicate
to , say, our internal mail server with one address; then certain public
SMTP relays communicate with our internal mail server using the IP address
advertized on the OUTSIDE interface (of course, the addresses are . The
difference in your situation is that you require default routes (0.0.0.0)
for two interfaces. This I haven't tried, but believe it will work in your
situation just fine.
Remember, the PIX doesn't allow for multiple ip addresses assigned to an
interface (in a mult-homed sense; at least in v5.3) and it will not 'route'
across an interface-- its not a router. But you can 'advertize' multiple
addresses (of known subnets) on an interface with the STATIC rules you
setup, so that incoming traffic to that interface may inspected, NAT'd if
necessary, and forwarded to the correct host or hosts.
> BTW, we also are tempted to continue using our "old" ISP in
> conjunction with
> the "new" one to provide some access redundancy. We have had
> occasions
> where our old ISP has had outages and certain areas of the
> country haven't
> been able to access us for hours or sometimes most of a day.
> But I gather
> that doing this requires that we obtain a special range of
> "universally
> recognized" IP addresses and then have each ISP map these IP
> address to our
> URL names.
>
> If you don't mind me asking, how are you using the two ISP's to your
> benefit?
I haven't tried the two ISP scenario.
> Finally, if I use the DMZ interface card on my PIX (currently
> unused), can I
> plug that into a network cable that has both ISP's "resident
> on that line?
> IOW, we have two distinct T1's/routers from the respective
> ISP's. Both
> routers then plug into our main network cabling
> infrastructure. So will it
> work if I plug in one of these network cables into the
> OUTSIDE PIX card and
> another into the DMZ card, and configure as you have suggested?
Yes, this will work, though from a security standpoint not advisable. I
would think that someone with a bit of knowledge of your network could,
knowing that two separate interfaces are exposed on the same segment,
circumvent access rules on one interface by spoofing traffic toward another.
If you can physical separate the two, all the better.
-Shawn
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
