The answer is yes but it depends.
If the traffic on to C1 originates on the C subnet
or a known subnet that you have entered static routes for
then all is well
If the Traffic originates from a unknown subnet and you are depending then
on the default gateway.
The out bound traffic will go out the B subnet assuming it has been
set up as the default gateway.
I checked and Cisco Docs for Version 6.0 states on page 2-21 " You can have
only one default route for the PIX Firewall "
This is the biggest hang-up that you run into.
If you want to do a Dual ISP using the IP address space assigned to you from
each ISP you need to look at a product like radware's Linkproof. It is a NAT
device that will do Load balancing between the ISP's. Sense where a DNS
request is coming from and calculate which ISP offer the shortest route and
give out the best DNS response. Sense a ISP failure and switch all traffic
over to the other ISP. Very nice box but much $$$. It could pay itself back
if you use two less than reliable ISP service instead of one very reliable
ISP. for example 2 adsl services at $800 per year each verses 1 T1 at $2000
/ Month. The box would pay back is a year or two then.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 05, 2001 1:29 PM
To: Claussen, Ken; [EMAIL PROTECTED]
Subject: RE: Configuring a PIX 520 to handle Multiple ISP's
Obviously, I wasn't clear about this....
Scenario:
Host A1 is on some internal segment, behind the PIX.
The PIX's external/untrusted interface is on subnet B. Clearly, it
can have a static definition mapping address B1 -- also on subnet B --
to the internal address A1, allowing B1 to be used as a public
"alias" for the private A1 address.
In this case, we wish A1 to have a second alias, C1, from some
other address range. The question is, can the PIX be configured so
that traffic addressed to C1, showing up at the PIX's interface on
subnet B, gets passed to A1 and responses go back out via subnet B
with C1 as their origin address?
(There's no trouble arranging for traffic destined for subnet C to
reach the PIX; the question is whether it can be configured to
provide static NAT mapping for that subnet when it knows its
interface is on subnet B.)
Unfortunately, the PIX documentation I have is both out-of-date and
not readily at hand.
David Gillett
On 5 Jun 2001, at 7:22, Claussen, Ken wrote:
> >> Hmmm.... Maybe the
> >>PIX can't have conduits mapped to subnets other than the one the
> >>interface is directly connected to?
> This is most assuredly possible, although opening holes to the internal
> network must always be evaluated on the basis of Business need Vs.
Security
> risk, for your envirnment. Assuming your route statements are correct and
> the Pix can reach the internal host Static Statements may map to hosts on
> Subnets several hops inside the firerwall itself. This was verified on a
Pix
> 520, Unrestricted license, Version 5.1(2). Basically if you can ping it
from
> the Pix, you can map to it using a static/conduit set of statements.
>
> Ken Claussen MCSE CCNA CCA
> [EMAIL PROTECTED]
> "The Mind is a Terrible thing to Waste!"
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
