Catalyst and PiX firewall Access-lists
Hello guys;
Please take a look at the layout first then read my reak question.
As you see, i have multiple vlans that are routed by a catalyst 4006 switch. As a gateway to internet i have a Pix firewall and an ISA 2004 proxy server. What ièm trying to do, is to force eveyone on the employess, clients and wireless vlans to go to internet through the ISA 2004 firewall, equally, everyone on the servers and directors vlan through the PIX firewall.
Presently everyone on the employess, clients and wireless vlans have isa firewall client installed or are web proxy clients, so they are already using the isa server for internet requests (because they have protocol based restricted access to internet), but my catalyst layer 3 switch is cinfigured to route everything to the pix firewall, so if they disable the firewall client, they will go directly to the net through the pix firewall. My main goal is to force them (employees, clients and wireless)to go through the isa server even if they disable the firewall client or clear out the proxy configuration.
Now i know i can do that on my pix firewal by simly adding an access-list deny rule for those segments to go to the net, but i'm trying to configure that on the layer 3 module. Is that possible and how? Do not forget, the L3 module is routing eveything bound to the internet to my pix firewall, and i can not change that cause i need my directors and server to go through the PIX firewall at all times.
Drawing1.jpg
Please take a look at the layout first then read my reak question.
As you see, i have multiple vlans that are routed by a catalyst 4006 switch. As a gateway to internet i have a Pix firewall and an ISA 2004 proxy server. What ièm trying to do, is to force eveyone on the employess, clients and wireless vlans to go to internet through the ISA 2004 firewall, equally, everyone on the servers and directors vlan through the PIX firewall.
Presently everyone on the employess, clients and wireless vlans have isa firewall client installed or are web proxy clients, so they are already using the isa server for internet requests (because they have protocol based restricted access to internet), but my catalyst layer 3 switch is cinfigured to route everything to the pix firewall, so if they disable the firewall client, they will go directly to the net through the pix firewall. My main goal is to force them (employees, clients and wireless)to go through the isa server even if they disable the firewall client or clear out the proxy configuration.
Now i know i can do that on my pix firewal by simly adding an access-list deny rule for those segments to go to the net, but i'm trying to configure that on the layer 3 module. Is that possible and how? Do not forget, the L3 module is routing eveything bound to the internet to my pix firewall, and i can not change that cause i need my directors and server to go through the PIX firewall at all times.
Drawing1.jpg
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Cyclops3590
http://www.cisco.com/en/US/docs/ios/12_2/iproute/command/reference/1rfindp2.html#wp1044142