Deterministic routing / two outbound routes, two different IP addresses

Posted on 2006-05-31
Medium Priority
Last Modified: 2010-03-19
I have posed this question to Cisco - awaiting an answer but figured someone has already had to figure this one out.  The question is I have 1 point-to-point T1 coming into the office with an IP scheme of 10.210.38.x; I have another T1 going to the internet with an IP scheme of 10.5.10.x.  These are two physically seperate networks and I want to merge the two.  Basically, the P-P T1 (10.210.38.x) is apart of another network, a WAN.  We use application on that network that require routing to local machines on that network (telnet, custome applications using IP addresses, etc.).  Almost all the computers are on that network now, but thay must use that network for internet access and go through that network.  This is basically what I want to do:

Inside network                                                                
10.5.10.X ------------------->Cisco 3750 / L2 Switch---------->Cisco 1700 / PIX 515e  -------------> Route to 10.210.38.x for those applications   - 10.210.38.x
                                                                                        (Have two CSU/DSU mods)   ------> Route all other traffic outbound (internet)      - 10.5.10.x

I understand that each module interface will also have to NAT from internally.

Another question is does the internal address have to be the same (inside network) as the outbound leg?  Another question is what additional hardware may be needed to this to work.  Initially, Cisco believed that no additional hardware other than another CSU/DSU module is needed.  I want to know if the 3750 should also be upgraded to L3 capabilities to help routing.

Another way to look at it is that application that access 10.210.38.x needed to be routed to a specific CSU/DSU and be able to establish a route back; all internet bound traffic (https/mail) needed to be routed to the 10.5.10.x outbound leg.

Any help to clarrify this would be helpful - not necessary to be cisco specific.
Question by:markv114
  • 2
LVL 10

Accepted Solution

Sorenson earned 1400 total points
ID: 16799133
In your diagram above you have a cisco1700/pix515e  is that the order that they are in, or is the router outside of the pix515e?  If the router is outside of the pix515e, then you will need to determine what rules force which route to take place.  In your example, all outbound traffic https/mail, create and access list like the following:

access-list 110 permit tcp any any eq 443
access-list 110 permit tcp any any eq 25
access-list 110 deny ip any any

or you could look at the traffic in another way
access-list 110 permit ip any
access-list 110 deny ip any any

Either way it is used to setup your rules to do policy based routing with.
Next create the route-map

route-map rtrchoice 10 permit
  match  ip address 110
  set ip next hop x.x.x.x (where x.x.x.x = the next router up the serial path to the 10.210.39.x network)
then under the ethernet interface that connect to the pix:
interface fa0/0  (or whatever the interface is)
  ip policy route-map rtrchoice

If you need to do NAT decisions on the pix based on the destination, it is more complex, however if you want to only nat when going towards the internet but not when going towards the 10.210.39.x network, you could add a nat 0 w/access-list to keep that traffic as original ip addresses.

Hope that helps, please post sanitized configs from the pix and router if you need further help.

Author Comment

ID: 16801969
The order would be T1 - Cisco 1700 - 515E - 3750 which already presents a problem in that the Pix 515E only one outisde interfaces now (one goes to the CSU/DSU modile, the other goes to the switch).  So in that instances, the commands above would have to be modified based on two interfaces - I will have to get another interface card for this to work no matter.  

I understand what you saying in that setup a specific rule for 10.210.39.x and port specific traffic and redirect everything else to the other interface.  I would not want to do the decision or routing based on the NAT - just need NAT for translation purposes for the IPs and the above code should work.

So if I had the following:

Cisco 1700  mod 1 (10.210.38.x) -----> Cisco 515E  outside interface 1  
                 mod 2 (10.5.10.x)    ------>                  outside interface 2
                                                                          inside interface 1 --------------> Cisco 3750 Switch (inside network)

Then the rules can be based on the interface and it becomes easier in that you are really dealing with two physically seperate interfaces.  The only problem become how the 515E deals with the different IP addresses coming in on the inside interface and I can image that the access-list rules would take in from there.  That being said, how much more different is it and does anything have to be done between the interfaces to make sure the routing is done?  

Author Comment

ID: 16808580
Thanks Sorensen - that was very helpful in making my determination and leading me in the direction I needed to go.  It also answered my question of if it can be done and how.  Though it was only one of few solutions, it was certainly one of the better means and it did answer my questions.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This program is used to assist in finding and resolving common problems with wireless connections.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question