[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Policy-basd Routing on the PIX

Posted on 2005-05-06
15
Medium Priority
?
636 Views
Last Modified: 2013-11-16
Does anyone know it it's possible to do policy-based routing on the PIX, ver 6.3(3)?  I'd like to direct traffic from a specific host through our VPN tunnel.  To do this, the PIX would have to disregard the routes in the routing table for that specific host.

Thanks!
0
Comment
Question by:meade470
  • 8
  • 6
15 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13944908
Not unless you upgrade to PIX ver 7.0(1)

However, what you are trying to do is simple with access-lists that define the traffic that must be encrypted (your host to remote network), applied to the crypto map that defines the destination peer (next hop). That's basically the same thing.. just that the other end needs to also define their traffic to come back you your host.

Do you already have an existing VPn tunnel between the two networks?


0
 
LVL 2

Author Comment

by:meade470
ID: 13945570
Thanks, lrmoore.

I currently have a working VPN across the 2 sites.  The probelm is that I also have a T1 connecting the sites.  

This is my existing network (abbreviated, somewhat):
192.168.25.170 (MyPC) --> 192.168.25.1 (2611 Cisco) --> T1 -->192.168.17.0 network (Cisco 1711)

This is how I'd like traffic to go for MyPC:
192.168.25.170 (MyPC) --> 192.168.25.1 (2611 Cisco) --> 192.168.27.254 (PIX 515) --> Internet --> 192.168.19.257 (PIX 506) --> 192.168.17.0 network (Cisco 1711)

I'd like traffic from MyPC to ignore the routing tables and head straight for the VPN at its local PIX.  I can do this at the 2611 with PBR.  But the PIX ver 6.3 doesn't like PBR.  Is there any other way/workaround to make this happen?

Thanks!!!
0
 
LVL 32

Expert Comment

by:harbor235
ID: 13945899
Why not configure a GRE tunnel connecting the two sites and run IPSEC across the tunnel. This would give you an additional
network in which to route to for the remote network.

Is routing dynamic or static in you environment?

You could also prefer the VPN route over the T-1 route by either assigning a higher metric to the less desired route.


harbor235
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 2

Author Comment

by:meade470
ID: 13946050
harbor235:  You could also prefer the VPN route over the T-1 route by either assigning a higher metric to the less desired route.

Could I do this for a specific host?  I don't want all the traffic to cross the VPN, just traffic from MyPC.

Thanks!!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13948628
Then you simply define the VPN traffic as host x.y.z.z to subnet a.b.c.0 in your acl for the vpn, and create a static route on the PC for that subnet to go to the pix

 C:\>route add a.b.c.0 mask 255.255.255.0 <ip of pix>
0
 
LVL 2

Author Comment

by:meade470
ID: 13961458
lrmoore,

I can't do this because the IP of the PIX is off the network my PC is on.  (I'm no 192.168.25.0; the PIX is on 192.168.27.0.)

Any other suggestions?  I don't know if this is possible without PBR or 7.0.  What a drag.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13962979
As long as the PIX has a route to you (can you ping the PIX IP address?)
If yes, then it should not be a problem...
0
 
LVL 2

Author Comment

by:meade470
ID: 13963622
I can ping the (192.168.27.254) PIX without a problem.

What I believe is the issue might be best represented in the following diagram:

      Internet
      |          \
      |            \
            PIX 1          PIX 2
      |        \
      |                  \
      |           \      
 192.168.17.0          192.168.25.0      
      |                      |
      |                      |
     (Cisco 1721)
           (Cisco 1721)    
                ----- T1 ----------



0
 
LVL 2

Author Comment

by:meade470
ID: 13963692
Ugh.  Lets try this one instead:
(Note:  Graph is "abbreviated")

      Internet
      |         \
      |          \
    PIX 1      PIX 2
      |             \
      |              \
      |               \      
 192.168.17.0     192.168.25.0 (where the 192.168.25.170 pc would be; default route is PIX 2)      
      |                |
      |                |
     Cisco 1721      Cisco 1721---------------(more networks/T1s/etc)
                |                |
       ---- T1 -----

There is a VPN between the PIXes.  PIX 2 believes (via the routing tables) that the route to 192.168.17.0 exists through the Cisco 1721 beneath the 192.168.25.0 network.  The route does, in fact, exist.  This is preventing me from routing traffic from 192.168.25.170 to 192.168.17.0 through the VPN tunnel.  (Which is what I want, to test the effectiveness of the VPN tunnel in regards to speed and application response.)

Thanks!! Your help is appreciated.
0
 
LVL 2

Author Comment

by:meade470
ID: 13963764
Sorry about those graphs.  They were clean until I hit Submit; I don't get it.

The bottom of the graph should indicate the following:
1.)  There is a T1 connectino between the 1721s.
2.)  The right-most 1721 has other network connections to it.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13964632
Anytime you have a router on your internal network and pix connected to the internet, it is much cleaner and easier on yourself if you set your PC's default gateway to the 1721 and not the PIX (absolutely must be this way on both sides). The 1721 then has its default pointing to the respective pix. PIX 2 does not have to know about .17.0 subnet at all and the static route gets removed..
This way, you have two easy choices to run your test -
1) use policy-based routing on the 1721 to only route your PC's source IP out the PIX to the remote side (must do it on both routers for return traffic)
2) use static route on your PC to direct your own traffic destined for the .17.0 network to the PIX2, bypassing the 1721.. but the host on the other side that you want to talk to must also have a static route to your host pointing to PIX1

0
 
LVL 2

Author Comment

by:meade470
ID: 13964677
That makes sense.

The routes in the PIX are actually not static routes, but rather learned from OSPF.  I have always suspected this is unneccessary (not our config).  Does the PIX even need routing tables?  It only has two interfaces--shouldn't it by nature know the interface to put specific traffic on?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13964817
>Does the PIX even need routing tables?  
Well, actually it does. It needs to know how to get back to any ip subnets that it is going to nat for. OSPF is good for that, and a good design (IMHO).... but, it shouldn't need to know about the .17.0 subnet unless PIX1's Internet was down and the .17.0 subnet needed to use PIX2 as a backup Internet connection. It throws some complexity in, but it is still "do-able"..


0
 
LVL 2

Author Comment

by:meade470
ID: 13964922
Aha!!  I finally see what you're saying!

Thanks for sticking it out with me.  I appreciate it.

One last question, if you don't mind:  What is the command for OSPF entries in the PIX?  I couldn't find them in the config.

Thanks again.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13964975
0

Featured Post

Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month18 days, 22 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question