Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Protocol routing on pix for multiple internet connections

Posted on 2008-09-29
10
Medium Priority
?
843 Views
Last Modified: 2012-06-22
I have a pix 515e and two internet connections (2xT1's and DSL).  I need to offload general internet usage from the T1's and keep only business services there.  Without creating static routes for every individual service that I know should be on the T1's, is there a way to route all outbound port 80 traffic to a different gateway (ie the dsl router)?
0
Comment
Question by:socalsuperhero
  • 6
  • 4
10 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22598302
Unfortunately, you cannot connect a PIX or ASA to two internet connections simultaneously - they can only be used for failover. What you need in this case is an edge router that has multiple WAN connections and can do load balancing. If you need a current product, I recommend the Cisco 2800 series routers very highly.
http://www.cisco.com/en/US/products/ps5854/ 
The bottom line is that PIXes cannot load balance - the multiple ISP feature is only for backup in case the main line goes down. All load balancing must be done on a router.
Do you have any other questions?
0
 
LVL 4

Author Comment

by:socalsuperhero
ID: 22598472
I'm not looking to load balance.  Our edge router already load balances our t1's.  I'm looking to add a rule to route traffic based upon what protocol/port the traffic is.  I've got a couple extra 2600's sitting around, as well as an asa and a couple other gateway devices that I'll use as a second firewall/nat box for the dsl circuit.  

I suppose I could also make the edge router handle the protocol routing.

To summarize my original question:
Is there way on cisco devices to route traffic based on protocol/port as opposed to just based on ip?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22598505
Right, I understand this - the bottom line though is that your ISP probably won't allow return traffic from something that was sourced from another ISP's line as it isn't using an established connection that was initiated by your equipment.
The tool you are talking about is PBR as I mentioned.
Here is an extended article on PBR from Cisco and then Wikipedia's explanation of it:
http://www.cisco.com/warp/public/732/Tech/plicy_wp.htm
http://en.wikipedia.org/wiki/Policy-based_routing
PBR is a VERY powerful tool. I think you'll find it very useful.
Let me know if that answers your question!
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 4

Author Comment

by:socalsuperhero
ID: 22599395
Ok, so I've got the topology portion of the solution figured out.  I'll change the default route on our core switch which aggregates all the vlan's to point to an 2600 router which I'll place internal on our network instead of pointing to the pix.  There I can implement policy-map to handle routing the HTTP traffic to one gateway while all other traffic gets routed through the current pix.  I may also end up implementing WCCP on the 2600 to facilitate a transparent caching proxy.   Sound reasonable?

Not being familiar with policy-map, can someone give me an example of what would be needed to implement this on a router for routing HTTP traffic?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22599595
Before you consider that let me tell you this - routers absolutely KILL LAN speed. They are a huge bottleneck unless you have a giant (aka very expensive) router. Instead, consider using an L3 switch that has an IP Services license. An example of a switch that does this the Cisco Catalyst 3560. With the advanced license, the switch routes like a router but without slowing down your network.
What I recommend instead is to route all traffic through the PIX (assuming it can handle the load). Using an aditional router for this or splitting traffic just complicates things.
Only have VLANS on your core switch and switches. On the PIX, just use the inside inteface address and put one route in your core switch to that IP address (your core switch has IP Services or EMI license, right? Check by doing a sh ver on it.). Then use the PIX for firewall/VPN and filtering functions. Put one route in the PIX to the inside interface of the edge router. Then, use PBR on the edge router to send the right traffic out the right WAN line.
Here is a quick topology map of the right way to do it.
Internet ------ Edge router with PBR >> PIX >> Core Switch (VLANS go here) >> network
                                    |
Internet ----------------^
0
 
LVL 4

Author Comment

by:socalsuperhero
ID: 22599796
our core switch is a 6509, I'm assuming I could just implement this on there?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22599860
Yes that's right. We have 6509s as well. Just make sure in the sh ver that you see the word IP SERVICES. Please check that before we proceed.
When possible, you want all LAN routing done on switches - they're much faster than routers.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22599864
Reserve WAN routing for routers.
0
 
LVL 4

Author Comment

by:socalsuperhero
ID: 22600015
"Just make sure in the sh ver that you see the word IP SERVICES. Please check that before we proceed. "

hmmmm...this is what I'm getting

WS-C6509 Software, Version NmpSW: 8.5(4)
Copyright (c) 1995-2006 by Cisco Systems
NMP S/W compiled on Apr 28 2006, 22:06:23

System Bootstrap Version: 8.1(3)
System Boot Image File is 'bootflash:cat6000-sup720k8.8-5-4.bin'
System Configuration register is 0x102

Hardware Version: 3.0  Model: WS-C6509  Serial #: SAL08290K1Z

PS1  Module: WS-CAC-3000W    Serial #: SNI1032AWJ9
PS2  Module: WS-CAC-3000W    Serial #: AZS09220015

Mod Port Model               Serial #    Versions
--- ---- ------------------- ----------- --------------------------------------
1   24   WS-X6724-SFP        SAL1010FC8A Hw : 2.4
                                         Fw : 8.5(4)
                                         Sw : 8.5(4)
         WS-F6700-CFC        SAL1004BD7C Hw : 2.1
                                         Sw :
2   48   WS-X6748-GE-TX      SAL09211NSJ Hw : 2.2
                                         Fw : 8.5(4)
                                         Sw : 8.5(4)
         WS-F6700-CFC        SAL0917A8DW Hw : 2.0
                                         Sw :
3   48   WS-X6748-GE-TX      SAL10019HKK Hw : 2.3
                                         Fw : 8.5(4)
                                         Sw : 8.5(4)
         WS-F6700-CFC        SAL09518BUH Hw : 2.0
                                         Sw :
5   2    WS-SUP720-BASE      SAD083900WP Hw : 3.1
                                         Fw : 8.1(3)
                                         Fw1: 8.5(4)
                                         Sw : 8.5(4)
                                         Sw1: 8.5(4)
         WS-F6K-PFC3A        SAD083505ZR Hw : 2.4
                                         Sw :
15  1    WS-SUP720           SAD083701Z4 Hw : 2.3
                                         Fw : 12.2(17d)SXB11a
                                         Sw : 12.2(17d)SXB11a

       DRAM                    FLASH                   NVRAM
Module Total   Used    Free    Total   Used    Free    Total Used  Free
------ ------- ------- ------- ------- ------- ------- ----- ----- -----
5      524288K 157796K 366492K  64000K  17955K  46045K 2048K  373K 1675K

Uptime is 2 days, 15 hours, 10 minutes
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 2000 total points
ID: 22600164
Wow, you're running CatOS! I'm not familiar with CatOS because it's a legacy platform that is being phased out.
My suggestion is that you call TAC and have them guide you through the VLAN configuration on the 6509 - I don't want to mess up your core router.
However, with the rest of the setup, just do it like I said and it will work great!
Cheers!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question