Under OS 5.3 you could not have multiple default gateways so you can not run
the connections simultaneously.
I do not know if OS 6.0 has changed this any but I don't think so.
but this is the rub of your problem.
So the best I can figure is us the short TTL setting in you DNS server. This
will cause the DNS server on the WWW to toss the record faster and see the
changes on your DNS settings sooner.
Setup a temp DNS server up on the new ISP feed configured the same as the
original DNS server (the old IP address). Assign it IP address that will be
used by your original DNS server once you switch over too the new ISP.
Register the new DNS server with Internic. Now WWW server will know where to
find your DNS server once you switch.
Once you see hits on the original DNS server stop, set up the original DNS
server that is behind your fire wall on your third NIC card on the DMZ to
reflect the DNS config you would use on the new ISP.
Set up a config file for the PIX in notepad that would reflect your
requirements for the new ISP. Make sure the Conduit or access list forwards
DNS request to your current DNS server from the same IP address being used
by your temp DNS server.
Pick a quite time of the night.
Pull the plug on your temp DNS server and apply the changes to the PIX.
Viola you are now on the new ISP with down time equal to the TTL on your old
DNS server + time to apply changes to PIX. should be less than 5 minutes.
If I am way off base or some one has a better plan please till me because
this is the bases of my plan to change ISP.
-----Original Message-----
From: Harry Whitehouse [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 04, 2001 3:57 PM
To: Firewall_List
Subject: Configuring a PIX 520 to handle Multiple ISP's
Hi All!
We are making a transition between one ISP and another. We have routers for
both ISP's now operational on our general network ("outside" the PIX
firewall).
Is it possible to configure the PIX to handle both ISP's during the
transition period at the DNS servers? It is a very simple configuration --
here are the lines which have the old ISP addresses:
1. ip address outside 38.168.115.180 255.255.255.0
2. global (outside) 1 38.168.115.160-38.168.115.179
3. static (inside,outside) 38.168.115.174 20.0.0.174 netmask 255.255.255.255
0 0
4. conduit permit tcp host 38.168.115.174 eq www any
5. route outside 0.0.0.0 0.0.0.0 38.168.114.1 1
I *do* have three network cards in the PIX -- I'm currently only using two.
I would *think* that I could add replicate configuration lines for 3 and 4.
IOW, couldn't I add
static (inside,outside) 65.107.103.174 20.0.0.174 netmask
255.255.255.255 0 0
conduit permit tcp host 65.107.103.174 eq www any
and have these coexist with the 38.168.115.174 statements?
I'm more concerned with items 1, 2 an 5. But perhaps I can leave them as is
until the conversion is completed. For transaction originated from *within*
our internal network, I'm happy to use the old ISP until the DNS conversion
is complete. What I want to make sure is that folks from the outside can
access my internal servers even though some would be routed to the "old" ISP
address and others to the "new" ISP address while the new DNS information
propagated throughout the www.
Can anyone give me some insight on this?
TIA
Harry
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
