[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 916
  • Last Modified:

Protocol routing on pix for multiple internet connections

I have a pix 515e and two internet connections (2xT1's and DSL).  I need to offload general internet usage from the T1's and keep only business services there.  Without creating static routes for every individual service that I know should be on the T1's, is there a way to route all outbound port 80 traffic to a different gateway (ie the dsl router)?
0
socalsuperhero
Asked:
socalsuperhero
  • 6
  • 4
1 Solution
 
PugglewuggleCommented:
Unfortunately, you cannot connect a PIX or ASA to two internet connections simultaneously - they can only be used for failover. What you need in this case is an edge router that has multiple WAN connections and can do load balancing. If you need a current product, I recommend the Cisco 2800 series routers very highly.
http://www.cisco.com/en/US/products/ps5854/ 
The bottom line is that PIXes cannot load balance - the multiple ISP feature is only for backup in case the main line goes down. All load balancing must be done on a router.
Do you have any other questions?
0
 
socalsuperheroAuthor Commented:
I'm not looking to load balance.  Our edge router already load balances our t1's.  I'm looking to add a rule to route traffic based upon what protocol/port the traffic is.  I've got a couple extra 2600's sitting around, as well as an asa and a couple other gateway devices that I'll use as a second firewall/nat box for the dsl circuit.  

I suppose I could also make the edge router handle the protocol routing.

To summarize my original question:
Is there way on cisco devices to route traffic based on protocol/port as opposed to just based on ip?
0
 
PugglewuggleCommented:
Right, I understand this - the bottom line though is that your ISP probably won't allow return traffic from something that was sourced from another ISP's line as it isn't using an established connection that was initiated by your equipment.
The tool you are talking about is PBR as I mentioned.
Here is an extended article on PBR from Cisco and then Wikipedia's explanation of it:
http://www.cisco.com/warp/public/732/Tech/plicy_wp.htm
http://en.wikipedia.org/wiki/Policy-based_routing
PBR is a VERY powerful tool. I think you'll find it very useful.
Let me know if that answers your question!
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
socalsuperheroAuthor Commented:
Ok, so I've got the topology portion of the solution figured out.  I'll change the default route on our core switch which aggregates all the vlan's to point to an 2600 router which I'll place internal on our network instead of pointing to the pix.  There I can implement policy-map to handle routing the HTTP traffic to one gateway while all other traffic gets routed through the current pix.  I may also end up implementing WCCP on the 2600 to facilitate a transparent caching proxy.   Sound reasonable?

Not being familiar with policy-map, can someone give me an example of what would be needed to implement this on a router for routing HTTP traffic?
0
 
PugglewuggleCommented:
Before you consider that let me tell you this - routers absolutely KILL LAN speed. They are a huge bottleneck unless you have a giant (aka very expensive) router. Instead, consider using an L3 switch that has an IP Services license. An example of a switch that does this the Cisco Catalyst 3560. With the advanced license, the switch routes like a router but without slowing down your network.
What I recommend instead is to route all traffic through the PIX (assuming it can handle the load). Using an aditional router for this or splitting traffic just complicates things.
Only have VLANS on your core switch and switches. On the PIX, just use the inside inteface address and put one route in your core switch to that IP address (your core switch has IP Services or EMI license, right? Check by doing a sh ver on it.). Then use the PIX for firewall/VPN and filtering functions. Put one route in the PIX to the inside interface of the edge router. Then, use PBR on the edge router to send the right traffic out the right WAN line.
Here is a quick topology map of the right way to do it.
Internet ------ Edge router with PBR >> PIX >> Core Switch (VLANS go here) >> network
                                    |
Internet ----------------^
0
 
socalsuperheroAuthor Commented:
our core switch is a 6509, I'm assuming I could just implement this on there?
0
 
PugglewuggleCommented:
Yes that's right. We have 6509s as well. Just make sure in the sh ver that you see the word IP SERVICES. Please check that before we proceed.
When possible, you want all LAN routing done on switches - they're much faster than routers.
0
 
PugglewuggleCommented:
Reserve WAN routing for routers.
0
 
socalsuperheroAuthor Commented:
"Just make sure in the sh ver that you see the word IP SERVICES. Please check that before we proceed. "

hmmmm...this is what I'm getting

WS-C6509 Software, Version NmpSW: 8.5(4)
Copyright (c) 1995-2006 by Cisco Systems
NMP S/W compiled on Apr 28 2006, 22:06:23

System Bootstrap Version: 8.1(3)
System Boot Image File is 'bootflash:cat6000-sup720k8.8-5-4.bin'
System Configuration register is 0x102

Hardware Version: 3.0  Model: WS-C6509  Serial #: SAL08290K1Z

PS1  Module: WS-CAC-3000W    Serial #: SNI1032AWJ9
PS2  Module: WS-CAC-3000W    Serial #: AZS09220015

Mod Port Model               Serial #    Versions
--- ---- ------------------- ----------- --------------------------------------
1   24   WS-X6724-SFP        SAL1010FC8A Hw : 2.4
                                         Fw : 8.5(4)
                                         Sw : 8.5(4)
         WS-F6700-CFC        SAL1004BD7C Hw : 2.1
                                         Sw :
2   48   WS-X6748-GE-TX      SAL09211NSJ Hw : 2.2
                                         Fw : 8.5(4)
                                         Sw : 8.5(4)
         WS-F6700-CFC        SAL0917A8DW Hw : 2.0
                                         Sw :
3   48   WS-X6748-GE-TX      SAL10019HKK Hw : 2.3
                                         Fw : 8.5(4)
                                         Sw : 8.5(4)
         WS-F6700-CFC        SAL09518BUH Hw : 2.0
                                         Sw :
5   2    WS-SUP720-BASE      SAD083900WP Hw : 3.1
                                         Fw : 8.1(3)
                                         Fw1: 8.5(4)
                                         Sw : 8.5(4)
                                         Sw1: 8.5(4)
         WS-F6K-PFC3A        SAD083505ZR Hw : 2.4
                                         Sw :
15  1    WS-SUP720           SAD083701Z4 Hw : 2.3
                                         Fw : 12.2(17d)SXB11a
                                         Sw : 12.2(17d)SXB11a

       DRAM                    FLASH                   NVRAM
Module Total   Used    Free    Total   Used    Free    Total Used  Free
------ ------- ------- ------- ------- ------- ------- ----- ----- -----
5      524288K 157796K 366492K  64000K  17955K  46045K 2048K  373K 1675K

Uptime is 2 days, 15 hours, 10 minutes
0
 
PugglewuggleCommented:
Wow, you're running CatOS! I'm not familiar with CatOS because it's a legacy platform that is being phased out.
My suggestion is that you call TAC and have them guide you through the VLAN configuration on the 6509 - I don't want to mess up your core router.
However, with the rest of the setup, just do it like I said and it will work great!
Cheers!
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now