Deterministic routing / two outbound routes, two different IP addresses

I have posed this question to Cisco - awaiting an answer but figured someone has already had to figure this one out.  The question is I have 1 point-to-point T1 coming into the office with an IP scheme of 10.210.38.x; I have another T1 going to the internet with an IP scheme of 10.5.10.x.  These are two physically seperate networks and I want to merge the two.  Basically, the P-P T1 (10.210.38.x) is apart of another network, a WAN.  We use application on that network that require routing to local machines on that network (telnet, custome applications using IP addresses, etc.).  Almost all the computers are on that network now, but thay must use that network for internet access and go through that network.  This is basically what I want to do:

Inside network                                                                
10.5.10.X ------------------->Cisco 3750 / L2 Switch---------->Cisco 1700 / PIX 515e  -------------> Route to 10.210.38.x for those applications   - 10.210.38.x
                                                                                        (Have two CSU/DSU mods)   ------> Route all other traffic outbound (internet)      - 10.5.10.x

I understand that each module interface will also have to NAT from internally.

Another question is does the internal address have to be the same (inside network) as the outbound leg?  Another question is what additional hardware may be needed to this to work.  Initially, Cisco believed that no additional hardware other than another CSU/DSU module is needed.  I want to know if the 3750 should also be upgraded to L3 capabilities to help routing.

Another way to look at it is that application that access 10.210.38.x needed to be routed to a specific CSU/DSU and be able to establish a route back; all internet bound traffic (https/mail) needed to be routed to the 10.5.10.x outbound leg.

Any help to clarrify this would be helpful - not necessary to be cisco specific.
markv114Asked:
Who is Participating?
 
SorensonConnect With a Mentor Commented:
In your diagram above you have a cisco1700/pix515e  is that the order that they are in, or is the router outside of the pix515e?  If the router is outside of the pix515e, then you will need to determine what rules force which route to take place.  In your example, all outbound traffic https/mail, create and access list like the following:

access-list 110 permit tcp any any eq 443
access-list 110 permit tcp any any eq 25
access-list 110 deny ip any any


or you could look at the traffic in another way
access-list 110 permit ip any 10.210.39.0 255.255.255.0
access-list 110 deny ip any any

Either way it is used to setup your rules to do policy based routing with.
Next create the route-map

!
route-map rtrchoice 10 permit
  match  ip address 110
  set ip next hop x.x.x.x (where x.x.x.x = the next router up the serial path to the 10.210.39.x network)
!
then under the ethernet interface that connect to the pix:
!
interface fa0/0  (or whatever the interface is)
  ip policy route-map rtrchoice
!

If you need to do NAT decisions on the pix based on the destination, it is more complex, however if you want to only nat when going towards the internet but not when going towards the 10.210.39.x network, you could add a nat 0 w/access-list to keep that traffic as original ip addresses.

Hope that helps, please post sanitized configs from the pix and router if you need further help.
0
 
markv114Author Commented:
The order would be T1 - Cisco 1700 - 515E - 3750 which already presents a problem in that the Pix 515E only one outisde interfaces now (one goes to the CSU/DSU modile, the other goes to the switch).  So in that instances, the commands above would have to be modified based on two interfaces - I will have to get another interface card for this to work no matter.  

I understand what you saying in that setup a specific rule for 10.210.39.x and port specific traffic and redirect everything else to the other interface.  I would not want to do the decision or routing based on the NAT - just need NAT for translation purposes for the IPs and the above code should work.

So if I had the following:

Cisco 1700  mod 1 (10.210.38.x) -----> Cisco 515E  outside interface 1  
                 mod 2 (10.5.10.x)    ------>                  outside interface 2
                                                                          inside interface 1 --------------> Cisco 3750 Switch (inside network)

Then the rules can be based on the interface and it becomes easier in that you are really dealing with two physically seperate interfaces.  The only problem become how the 515E deals with the different IP addresses coming in on the inside interface and I can image that the access-list rules would take in from there.  That being said, how much more different is it and does anything have to be done between the interfaces to make sure the routing is done?  
0
 
markv114Author Commented:
Thanks Sorensen - that was very helpful in making my determination and leading me in the direction I needed to go.  It also answered my question of if it can be done and how.  Though it was only one of few solutions, it was certainly one of the better means and it did answer my questions.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.