Solved

Protocol routing on pix for multiple internet connections

Posted on 2008-09-29
10
827 Views
Last Modified: 2012-06-22
I have a pix 515e and two internet connections (2xT1's and DSL).  I need to offload general internet usage from the T1's and keep only business services there.  Without creating static routes for every individual service that I know should be on the T1's, is there a way to route all outbound port 80 traffic to a different gateway (ie the dsl router)?
0
Comment
Question by:socalsuperhero
  • 6
  • 4
10 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22598302
Unfortunately, you cannot connect a PIX or ASA to two internet connections simultaneously - they can only be used for failover. What you need in this case is an edge router that has multiple WAN connections and can do load balancing. If you need a current product, I recommend the Cisco 2800 series routers very highly.
http://www.cisco.com/en/US/products/ps5854/
The bottom line is that PIXes cannot load balance - the multiple ISP feature is only for backup in case the main line goes down. All load balancing must be done on a router.
Do you have any other questions?
0
 
LVL 4

Author Comment

by:socalsuperhero
ID: 22598472
I'm not looking to load balance.  Our edge router already load balances our t1's.  I'm looking to add a rule to route traffic based upon what protocol/port the traffic is.  I've got a couple extra 2600's sitting around, as well as an asa and a couple other gateway devices that I'll use as a second firewall/nat box for the dsl circuit.  

I suppose I could also make the edge router handle the protocol routing.

To summarize my original question:
Is there way on cisco devices to route traffic based on protocol/port as opposed to just based on ip?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22598505
Right, I understand this - the bottom line though is that your ISP probably won't allow return traffic from something that was sourced from another ISP's line as it isn't using an established connection that was initiated by your equipment.
The tool you are talking about is PBR as I mentioned.
Here is an extended article on PBR from Cisco and then Wikipedia's explanation of it:
http://www.cisco.com/warp/public/732/Tech/plicy_wp.htm
http://en.wikipedia.org/wiki/Policy-based_routing
PBR is a VERY powerful tool. I think you'll find it very useful.
Let me know if that answers your question!
0
 
LVL 4

Author Comment

by:socalsuperhero
ID: 22599395
Ok, so I've got the topology portion of the solution figured out.  I'll change the default route on our core switch which aggregates all the vlan's to point to an 2600 router which I'll place internal on our network instead of pointing to the pix.  There I can implement policy-map to handle routing the HTTP traffic to one gateway while all other traffic gets routed through the current pix.  I may also end up implementing WCCP on the 2600 to facilitate a transparent caching proxy.   Sound reasonable?

Not being familiar with policy-map, can someone give me an example of what would be needed to implement this on a router for routing HTTP traffic?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22599595
Before you consider that let me tell you this - routers absolutely KILL LAN speed. They are a huge bottleneck unless you have a giant (aka very expensive) router. Instead, consider using an L3 switch that has an IP Services license. An example of a switch that does this the Cisco Catalyst 3560. With the advanced license, the switch routes like a router but without slowing down your network.
What I recommend instead is to route all traffic through the PIX (assuming it can handle the load). Using an aditional router for this or splitting traffic just complicates things.
Only have VLANS on your core switch and switches. On the PIX, just use the inside inteface address and put one route in your core switch to that IP address (your core switch has IP Services or EMI license, right? Check by doing a sh ver on it.). Then use the PIX for firewall/VPN and filtering functions. Put one route in the PIX to the inside interface of the edge router. Then, use PBR on the edge router to send the right traffic out the right WAN line.
Here is a quick topology map of the right way to do it.
Internet ------ Edge router with PBR >> PIX >> Core Switch (VLANS go here) >> network
                                    |
Internet ----------------^
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 4

Author Comment

by:socalsuperhero
ID: 22599796
our core switch is a 6509, I'm assuming I could just implement this on there?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22599860
Yes that's right. We have 6509s as well. Just make sure in the sh ver that you see the word IP SERVICES. Please check that before we proceed.
When possible, you want all LAN routing done on switches - they're much faster than routers.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22599864
Reserve WAN routing for routers.
0
 
LVL 4

Author Comment

by:socalsuperhero
ID: 22600015
"Just make sure in the sh ver that you see the word IP SERVICES. Please check that before we proceed. "

hmmmm...this is what I'm getting

WS-C6509 Software, Version NmpSW: 8.5(4)
Copyright (c) 1995-2006 by Cisco Systems
NMP S/W compiled on Apr 28 2006, 22:06:23

System Bootstrap Version: 8.1(3)
System Boot Image File is 'bootflash:cat6000-sup720k8.8-5-4.bin'
System Configuration register is 0x102

Hardware Version: 3.0  Model: WS-C6509  Serial #: SAL08290K1Z

PS1  Module: WS-CAC-3000W    Serial #: SNI1032AWJ9
PS2  Module: WS-CAC-3000W    Serial #: AZS09220015

Mod Port Model               Serial #    Versions
--- ---- ------------------- ----------- --------------------------------------
1   24   WS-X6724-SFP        SAL1010FC8A Hw : 2.4
                                         Fw : 8.5(4)
                                         Sw : 8.5(4)
         WS-F6700-CFC        SAL1004BD7C Hw : 2.1
                                         Sw :
2   48   WS-X6748-GE-TX      SAL09211NSJ Hw : 2.2
                                         Fw : 8.5(4)
                                         Sw : 8.5(4)
         WS-F6700-CFC        SAL0917A8DW Hw : 2.0
                                         Sw :
3   48   WS-X6748-GE-TX      SAL10019HKK Hw : 2.3
                                         Fw : 8.5(4)
                                         Sw : 8.5(4)
         WS-F6700-CFC        SAL09518BUH Hw : 2.0
                                         Sw :
5   2    WS-SUP720-BASE      SAD083900WP Hw : 3.1
                                         Fw : 8.1(3)
                                         Fw1: 8.5(4)
                                         Sw : 8.5(4)
                                         Sw1: 8.5(4)
         WS-F6K-PFC3A        SAD083505ZR Hw : 2.4
                                         Sw :
15  1    WS-SUP720           SAD083701Z4 Hw : 2.3
                                         Fw : 12.2(17d)SXB11a
                                         Sw : 12.2(17d)SXB11a

       DRAM                    FLASH                   NVRAM
Module Total   Used    Free    Total   Used    Free    Total Used  Free
------ ------- ------- ------- ------- ------- ------- ----- ----- -----
5      524288K 157796K 366492K  64000K  17955K  46045K 2048K  373K 1675K

Uptime is 2 days, 15 hours, 10 minutes
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 500 total points
ID: 22600164
Wow, you're running CatOS! I'm not familiar with CatOS because it's a legacy platform that is being phased out.
My suggestion is that you call TAC and have them guide you through the VLAN configuration on the 6509 - I don't want to mess up your core router.
However, with the rest of the setup, just do it like I said and it will work great!
Cheers!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now