Solved

Cisco 515e PIX Firewall: Route only port 80 and 443 traffic

Posted on 2008-10-24
6
794 Views
Last Modified: 2009-07-29
I have a PIX 515e firewall with 3 interfaces (Inside, ISP_1, ISP_2). I currently have everything routed to ISP_1 but I would like to route all Web Browsing traffic (port 80 and 443) to ISP_2 and all other traffic continue out ISP_1.

I have setup an ACL specifying all traffic going to 0.0.0.0 on port 80 and 443 to use ISP_2. But for some reason when I do that, that ACL rule reverts back to ISP_1. I am using the PIX PDM GUI.

Also, I do not have a static route defined for the ISP_2 interface, only an ACL. I am not sure how to define that route since I already have one ISP_1. Would it be somehthing like this?

<local network> <Local subnet> route to <ISP_1>
<local network> <Local subnet> route to <ISP_2>

I am not sure how the above would work. I still want all non port 80 and 443 traffic to go out through ISP_1.

Your help is appreciated.


0
Comment
Question by:HCCI_IT
  • 3
  • 2
6 Comments
 
LVL 2

Expert Comment

by:JimmyLarsson
ID: 22797713
Hello

You cannot do that on a Pix. You need to use something like policy based routing to change the next-hop-address based on protocol and that[ not available in Pix.

You can only have one activde default routing pointing outwards (to one ISP) at each time. An exemption to this is the dual ISP-feature in newer Os-versions which makes the firewall able to track the status of the primary ISP-connection and if it goes down change the default route to the second ISP. But this is a pure failover-solution.

Br Jimmy
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22799967
Agree with Jimmy
The PIX can support dual ISP's only in failover mode, never in load-sharing mode.
The PIX simply cannot support policy based or source routing of any sort.

0
 

Author Comment

by:HCCI_IT
ID: 22799993
Can a Cisco Layer 3 switch route based on protocol? I currently have a Layer 3 switch setup as my private LAN's gateway and it is doing all the routing.

If I have a second Firewall for the ISP_2 connection and can do the routing on my switch, will that work?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 79

Expert Comment

by:lrmoore
ID: 22800264
Depends. For example a Cisco 3560 with IP Base IOS cannot, but with IP Services version upgrade you get policy-based routing and other advanced routing features.
----------------------
The Cisco Catalyst 3560 is available with either the IP Base or IP Services software images and can be upgraded to the Advanced IP Services software image. The IP Base software (formerly called the Standard Multilayer Image or SMI) includes advanced QoS, rate-limiting, ACLs, and basic routing and IPv6 functionality. The IP Services software (formerly called the Enhanced Multilayer Image or EMI) provides a richer set of enterprise-class features, including advanced hardware-based IP unicast and IP Multicast routing as well as policy-based routing (PBR). The Advanced IP Services software includes IPv6 routing and IPv6 ACL support.
---------------------
Source:
http://www.cisco.com/en/US/products/hw/switches/ps5528/index.html

0
 

Author Comment

by:HCCI_IT
ID: 22816359
Does anyone have an route-map config example for this after I setup a second Firewall.

Basically I have 1 port on a 6500 switch routing traffic on internal private network (call it 192.168.1.1)

ISP_1 Firewall (192.168.21.10)
ISP_2 Firewall (192.168.21.20)

From the 6500 routing interface (192.168.21.1), all port 80 and 443 traffic go to ISP_1

All other traffic go to ISP_2

Thanks for your help

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 22817447
Something like this:

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq http
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq https

route-map WEB permit 10
match ip address 101
set ip next-hop 192.168.21.10

All other traffic takes the default route
ip route 0.0.0.0 0.0.0.0 192.168.21.20

apply the routemap to the vlan interface
interface vlanX <== whichever vlan is 192.168.1.x
ip policy route-map WEB

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now