Cisco 515e PIX Firewall: Route only port 80 and 443 traffic

I have a PIX 515e firewall with 3 interfaces (Inside, ISP_1, ISP_2). I currently have everything routed to ISP_1 but I would like to route all Web Browsing traffic (port 80 and 443) to ISP_2 and all other traffic continue out ISP_1.

I have setup an ACL specifying all traffic going to 0.0.0.0 on port 80 and 443 to use ISP_2. But for some reason when I do that, that ACL rule reverts back to ISP_1. I am using the PIX PDM GUI.

Also, I do not have a static route defined for the ISP_2 interface, only an ACL. I am not sure how to define that route since I already have one ISP_1. Would it be somehthing like this?

<local network> <Local subnet> route to <ISP_1>
<local network> <Local subnet> route to <ISP_2>

I am not sure how the above would work. I still want all non port 80 and 443 traffic to go out through ISP_1.

Your help is appreciated.


HCCI_ITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JimmyLarssonCommented:
Hello

You cannot do that on a Pix. You need to use something like policy based routing to change the next-hop-address based on protocol and that[ not available in Pix.

You can only have one activde default routing pointing outwards (to one ISP) at each time. An exemption to this is the dual ISP-feature in newer Os-versions which makes the firewall able to track the status of the primary ISP-connection and if it goes down change the default route to the second ISP. But this is a pure failover-solution.

Br Jimmy
0
lrmooreCommented:
Agree with Jimmy
The PIX can support dual ISP's only in failover mode, never in load-sharing mode.
The PIX simply cannot support policy based or source routing of any sort.

0
HCCI_ITAuthor Commented:
Can a Cisco Layer 3 switch route based on protocol? I currently have a Layer 3 switch setup as my private LAN's gateway and it is doing all the routing.

If I have a second Firewall for the ISP_2 connection and can do the routing on my switch, will that work?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

lrmooreCommented:
Depends. For example a Cisco 3560 with IP Base IOS cannot, but with IP Services version upgrade you get policy-based routing and other advanced routing features.
----------------------
The Cisco Catalyst 3560 is available with either the IP Base or IP Services software images and can be upgraded to the Advanced IP Services software image. The IP Base software (formerly called the Standard Multilayer Image or SMI) includes advanced QoS, rate-limiting, ACLs, and basic routing and IPv6 functionality. The IP Services software (formerly called the Enhanced Multilayer Image or EMI) provides a richer set of enterprise-class features, including advanced hardware-based IP unicast and IP Multicast routing as well as policy-based routing (PBR). The Advanced IP Services software includes IPv6 routing and IPv6 ACL support.
---------------------
Source:
http://www.cisco.com/en/US/products/hw/switches/ps5528/index.html

0
HCCI_ITAuthor Commented:
Does anyone have an route-map config example for this after I setup a second Firewall.

Basically I have 1 port on a 6500 switch routing traffic on internal private network (call it 192.168.1.1)

ISP_1 Firewall (192.168.21.10)
ISP_2 Firewall (192.168.21.20)

From the 6500 routing interface (192.168.21.1), all port 80 and 443 traffic go to ISP_1

All other traffic go to ISP_2

Thanks for your help

0
lrmooreCommented:
Something like this:

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq http
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq https

route-map WEB permit 10
match ip address 101
set ip next-hop 192.168.21.10

All other traffic takes the default route
ip route 0.0.0.0 0.0.0.0 192.168.21.20

apply the routemap to the vlan interface
interface vlanX <== whichever vlan is 192.168.1.x
ip policy route-map WEB

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.