|
Home > Archive > CCIE > April 2003 > Load balancing between DMZ and outside routers through PIX firewall
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Load balancing between DMZ and outside routers through PIX firewall
|
|
| haseeb_eng 2003-04-14, 6:13 am |
| Scenario:
To pix firewall's DMZ interface is a 3600 series router connected and to outside interface is one more router(3com or cisco) connecting to the internet .
Solutions required :
Currently i am accessing internet through outside router . Now i want to take one more internet connection through DMZ 3600 router and want to do load balancing . Pix comes in between and customer said that i don,nt need to worry about outside router because it is allready configured for load balancing which is probably 3com could be cisco also(but i am not responsible for that router so i can only configure PIX and DMZ 3600 router).Anybody can tell me how could i do this ? | |
| mosam 2003-04-14, 11:34 am |
| Well, to start with, hocking an internet link into the DMZ would be a major concern. What is the DMZ is for then?
As I understand, you want to load balance the internet traffic between the new link you wanna add to the 3600 (or the DMZ link), and the original link you already have in the outside interface, right?
Well, you can not do much in PIX as far as I know in that regard. And as long as you have this setup, which still either I don't understand it well, or something that should not be done in the first place.
Can you attach a brief diagram, just to make sure we understand you correctly? | |
| haseeb_eng 2003-04-15, 2:29 am |
| i am attching the file in MS word format . visio was not uploading , please check it . | |
|
| Well, the only thing that I can think of is to manually distribute your networks among the two links..
First, let me ask, are you running any kind of IGP or BGP with your service provider(s)?
If you have multiple address blocks (multiple of /24), you will have to manually engineer your traffic. For example, lets say your DMZ is natted to 200.200.200.0/24, while inside is natted to 100.100.100.0/24 (away from my concerns on the use of your DMZ that I will discuss below), you will have to route internal network 100.100.100.0/24 to be routed through PIX for example, while 200.200.200.0 to be routed through the 3600, etc..
If your blocks can not be splitted in forms of 24 bits prefix or less, I don't think you have any luck here as most providers refuse to announce larger prefixes than 24 bits.
Th important thing I would like to note here is that I don't see a proper use of the PIX at all. DMZ design in this setup is a real concern. I am not sure on the physical location of the equipment, but, if they are in the same physical location, and If you must do load balancing, I would highly recommend you to move the 3600 router to act as the perimeter router, not only for load balancing, but for a proper secure network as well. In such case, the 3660 would have both internet links, dialup users and connected to the outside network of the PIX, then you can have the PIX with both inside and DMZ zones behind.. if its possible to do that, I would highly recommend you to do it.
The load balancing then would become possible and easier, even if you are connected to different providers. It would be optimum load balancing if the 3660 is a BGP speaker router or any other dynamic protocol speaker with the ISP (in case of a single ISP). There would be many ways to do load-balancing this way. But as long as you have this setup, this is what I can think of.
I hope someone else give a feedback in this, s/he may see something I don't see here. | |
|
| Is the PIX outside interface in the current setup connected to a VLAN in the 4006 along with the link you have from your ISP?
In that case, you don't have to worry about a single point of failure, all you will need is to have the ethernet interface of the 3600 connected to the same VLAN to act as a peremeter router.
Do you have any RSM in the 4006? If so, you can connect it to one service provider and terminate the L3 in the 4006 itself. From that sense, you can run run RIP between PIX outside, 3600 and 4006, and if you don't wanna do that, you can run HSRP address between both RSM and 3600 as a gateway for the PIX and the rest of the outside network equipment.
Anyway.. I just need you to elaborate a little bit on my comments. I don't want to drift from the main point, but I had to give my comments since I see a major security concern to this setup. |
|
|
|
|