Solved

PIX 515 Routing Problems

Posted on 2004-03-24
12
1,248 Views
Last Modified: 2013-11-16
I could really use some help, guys....

I have two T-1's (IP's of 68.152.249.x) that "terminate" into a Cisco 2620 (two serial & two lan ports).  Each 2620 LAN Port goes into a port on a PIX 515.  A third (ethernet) port on the PIX connects to a LAN with addresses of 10.10.10.x.

Right now, I have a default route in the PIX pointing all traffic to one of the T-1's.  However, with the second T-1 (serving a different department).  I want to put a route in the pix that says (to the effect) that if you come from address pool y, then you go to T-1 #1, and if you come from address pool z, then you go to T-1 #2.  

I know you can't specify one default route (one per interface would be really nice), so I wasn't sure if this is something that could be handled in the PIX, or if I had to do it in the 2620.

Any suggestions are welcome!
0
Comment
Question by:brianclay
  • 6
  • 5
12 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10676377
You have to do it on the 2620.
What you want to do is setup each department on a separate subnet if you can, or at least group the addresses so that they can be segregated with a mask.
The concept is this:
1. each department has at least the appearance of a different subnet
2. each subnet gets a unique outgoing NAT/PAT address going out the firewall
3. 2620 makes routing decision based on source address
4. If source address = NAT address of Dept A, send through T1 #1
5. If source address = NAT address of Dept B, send through T1 #2

To accomplish that, you do NOT need the 2nd Ethernet port of the router connecting to the extra interface of the PIX. That will not help you one bit.

Question for you: do both T1's go to the same ISP? It will make a difference if you have two different ISP's and two different IP address blocks.
0
 
LVL 4

Expert Comment

by:hawgpig
ID: 10677159
I'm not completely sure of your configuration....
But I think what you are trying to do is a simple
route outside statement...
here is the syntax...
route outside 192.168.0.1 255.255.255.0 68.152.249.x 1
this reads this way
route anything in the 192.168.0.1/24 subnet to ip address 68.152.249.x 1 hop away...
what this will do is send
any data that is coming from the 192.168.0.1/24 to the ethernet x interface ip address on the 2620...
at that point the 2620 will decide where to send the data....  
I'm not quite sure what your typology is...
sounds like you are using DMZ interfaces for the two different departments...???
This should still work though....
You may need to do some sort of
route dmz statement also....
Typology with IPs would be helpful here.....
0
 

Author Comment

by:brianclay
ID: 10677717
lr moore

what are the comands to have the 2620 perform the conditional static routes?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10677937

You would use policy routing with a route map, something like this.
Given:
Group A private IP = 192.168.2.x
Group A Public IP from PIX = 12.34.5.6
Group B private IP = 192.168.3.x
Group B Public IP from PIX = 12.34.5.7

# create access-lists to define the traffic source/destination
access-list 102 permit ip host 12.34.5.6 any
access-list 103 permit ip host 12.34.5.7 any
!
# create route-map to direct the traffic as it matches the acl
route-map TEST permit 10
 match address 102
 set default interface serial 0/0.1  <-- interface to ISP1
!
route-map TEST permit 20
 match address 103
 set default interface serial 1/0.1  <-- interface to ISP2
!
# apply the routemap to the LAN interface that connects to the PIX
!
interface fast 0/0
 ip policy route-map TEST
!


0
 

Author Comment

by:brianclay
ID: 10680077
lr moore:

I have tried that and had to change some configurations in the PIX, and I am still having problems.  Here is my configuration:

T-1 #1 - WAN IP 68.152.249.90 / LAN IP 68.208.63.1 255.255.255.224
T-1 #2 - WAN IP 68.152.249.90 / LAN IP 68.208.63.32 255.255.255.224

PIX outside Interface 68.208.63.2 / 255.255.255.192 (I configured this so it could NAT across both sets of LAN IP's for the T-1's).

PIX inside Interface 10.10.10.100 / 255.255.255.0

nat = 10.10.10.101 --> 68.208.63.40
nat = 10.10.10.105 --> 68.208.63.2
default route in pix = 0.0.0.0 0.0.0.0 68.208.63.1 (eth 0/0 -T1 #1) of 2620.

I think the problem is the eth 0/0 is getting an address outside of its subnet (68.208.63.40), and it can't pass it over to the second t-1 (it is just dropping the packet).  

When I turn on debugging in the pix, the addresses are natting properly, and it is trying to send traffic (from 10.10.10.101 to it's DNS...with no luck).  The 68.208.63.2 is working great (i.e. surfing, emailing, etc.)

Please help!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10680156
How do you have both WAN IP's the same???
The PIX outside subnet mask should match your FastEthernet 0/0.
What I would expect:

ROUTER
Interface FastEthernet 0/0
 ip add 68.208.63.1 255.255.255.192
!
Interface FastEthernet 0/1
 shutdown
!

PIX
ip address outside 68.208.63.2 255.255.255.192
global (outside) 40 68.208.63.40
global (outside) 105 interface
nat (inside) 40 10.10.10.101 255.255.255.255
nat (inside) 105 10.10.10.105 255.255.255.255
route outside 0.0.0.0 0.0.0.0 68.208.63.1

0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:brianclay
ID: 10680187
Sorry...the second T-1 is 68.152.249.94 255.255.255.224
0
 

Author Comment

by:brianclay
ID: 10680615
lr...still not luck.  I have made all configs in the 2620 & the 515 as suggested (the only difference being I named my route map OUTBOUND not TEST).  I still can't surf.  I am testing off a Laptop with IP 10.10.10.101 / 255.255.255.0 / gateway = 10.10.10.100 (pix).  Any more suggestions?
0
 

Author Comment

by:brianclay
ID: 10680778
lr moore...here is the problem...

my 2620 has the default route 0.0.0.0 / 0.0.0.0 / 68.152.249.89 (gateway of first t-1).  How do I enter the gateway for the second t-1?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10680882
Ahso..
try adding another same-cost default
ip route 0.0.0.0 0.0.0.0 68.152.249.93  

0
 

Author Comment

by:brianclay
ID: 10680942
if i add another default route...then both t-1's crawl.  Is there any way to put something in the access list or route map that says once you go to serial 0/1, then you need to go to ip 68.152.249.93?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 10681012
Yes, you can use the route-map command:

Instead of this:

route-map OUTBOUND permit 20
 match address 103
 set default interface serial 1/0.1 <<--

Try this:
route-map OUTBOUND permit 20
 match address 103
 set ip next-hop 68.152.249.93 <<--

0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cisco nexus experiance 2 57
Wireless antenna advice/design 6 48
cisco switch POE watt limitation 5 57
Cisco Router / Switch - NAT 10 32
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Delivering innovative fully-managed cloud services for mission-critical applications requires expertise in multiple areas plus vision and commitment. Meet a few of the people behind the quality services of Concerto.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now