Deterministic routing / two outbound routes, two different IP addresses

Posted on 2006-05-31
Last Modified: 2010-03-19
I have posed this question to Cisco - awaiting an answer but figured someone has already had to figure this one out.  The question is I have 1 point-to-point T1 coming into the office with an IP scheme of 10.210.38.x; I have another T1 going to the internet with an IP scheme of 10.5.10.x.  These are two physically seperate networks and I want to merge the two.  Basically, the P-P T1 (10.210.38.x) is apart of another network, a WAN.  We use application on that network that require routing to local machines on that network (telnet, custome applications using IP addresses, etc.).  Almost all the computers are on that network now, but thay must use that network for internet access and go through that network.  This is basically what I want to do:

Inside network                                                                
10.5.10.X ------------------->Cisco 3750 / L2 Switch---------->Cisco 1700 / PIX 515e  -------------> Route to 10.210.38.x for those applications   - 10.210.38.x
                                                                                        (Have two CSU/DSU mods)   ------> Route all other traffic outbound (internet)      - 10.5.10.x

I understand that each module interface will also have to NAT from internally.

Another question is does the internal address have to be the same (inside network) as the outbound leg?  Another question is what additional hardware may be needed to this to work.  Initially, Cisco believed that no additional hardware other than another CSU/DSU module is needed.  I want to know if the 3750 should also be upgraded to L3 capabilities to help routing.

Another way to look at it is that application that access 10.210.38.x needed to be routed to a specific CSU/DSU and be able to establish a route back; all internet bound traffic (https/mail) needed to be routed to the 10.5.10.x outbound leg.

Any help to clarrify this would be helpful - not necessary to be cisco specific.
Question by:markv114
    LVL 10

    Accepted Solution

    In your diagram above you have a cisco1700/pix515e  is that the order that they are in, or is the router outside of the pix515e?  If the router is outside of the pix515e, then you will need to determine what rules force which route to take place.  In your example, all outbound traffic https/mail, create and access list like the following:

    access-list 110 permit tcp any any eq 443
    access-list 110 permit tcp any any eq 25
    access-list 110 deny ip any any

    or you could look at the traffic in another way
    access-list 110 permit ip any
    access-list 110 deny ip any any

    Either way it is used to setup your rules to do policy based routing with.
    Next create the route-map

    route-map rtrchoice 10 permit
      match  ip address 110
      set ip next hop x.x.x.x (where x.x.x.x = the next router up the serial path to the 10.210.39.x network)
    then under the ethernet interface that connect to the pix:
    interface fa0/0  (or whatever the interface is)
      ip policy route-map rtrchoice

    If you need to do NAT decisions on the pix based on the destination, it is more complex, however if you want to only nat when going towards the internet but not when going towards the 10.210.39.x network, you could add a nat 0 w/access-list to keep that traffic as original ip addresses.

    Hope that helps, please post sanitized configs from the pix and router if you need further help.

    Author Comment

    The order would be T1 - Cisco 1700 - 515E - 3750 which already presents a problem in that the Pix 515E only one outisde interfaces now (one goes to the CSU/DSU modile, the other goes to the switch).  So in that instances, the commands above would have to be modified based on two interfaces - I will have to get another interface card for this to work no matter.  

    I understand what you saying in that setup a specific rule for 10.210.39.x and port specific traffic and redirect everything else to the other interface.  I would not want to do the decision or routing based on the NAT - just need NAT for translation purposes for the IPs and the above code should work.

    So if I had the following:

    Cisco 1700  mod 1 (10.210.38.x) -----> Cisco 515E  outside interface 1  
                     mod 2 (10.5.10.x)    ------>                  outside interface 2
                                                                              inside interface 1 --------------> Cisco 3750 Switch (inside network)

    Then the rules can be based on the interface and it becomes easier in that you are really dealing with two physically seperate interfaces.  The only problem become how the 515E deals with the different IP addresses coming in on the inside interface and I can image that the access-list rules would take in from there.  That being said, how much more different is it and does anything have to be done between the interfaces to make sure the routing is done?  

    Author Comment

    Thanks Sorensen - that was very helpful in making my determination and leading me in the direction I needed to go.  It also answered my question of if it can be done and how.  Though it was only one of few solutions, it was certainly one of the better means and it did answer my questions.

    Featured Post

    Free camera licenses with purchase of My Cloud NAS

    Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    NFS vs, iSCSI throughput ? 20 96
    1 WAN to 2 LAN 4 44
    Cisco Route Tagging Problem 12 31
    Enterasys QoS setup 2 21
    What is IRC? IRC (Internet Relay Chat) is a form of communication between multiple users. It is available freely to anyone with inernet access. IRC is a great way to communicate with others e.g. There is an IRC channel for Ubuntu Linux, which is fo…
    PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now