Cisco 515e PIX Firewall: Route only port 80 and 443 traffic

I have a PIX 515e firewall with 3 interfaces (Inside, ISP_1, ISP_2). I currently have everything routed to ISP_1 but I would like to route all Web Browsing traffic (port 80 and 443) to ISP_2 and all other traffic continue out ISP_1.

I have setup an ACL specifying all traffic going to 0.0.0.0 on port 80 and 443 to use ISP_2. But for some reason when I do that, that ACL rule reverts back to ISP_1. I am using the PIX PDM GUI.

Also, I do not have a static route defined for the ISP_2 interface, only an ACL. I am not sure how to define that route since I already have one ISP_1. Would it be somehthing like this?

<local network> <Local subnet> route to <ISP_1>
<local network> <Local subnet> route to <ISP_2>

I am not sure how the above would work. I still want all non port 80 and 443 traffic to go out through ISP_1.

Your help is appreciated.


HCCI_ITAsked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
Something like this:

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq http
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq https

route-map WEB permit 10
match ip address 101
set ip next-hop 192.168.21.10

All other traffic takes the default route
ip route 0.0.0.0 0.0.0.0 192.168.21.20

apply the routemap to the vlan interface
interface vlanX <== whichever vlan is 192.168.1.x
ip policy route-map WEB

0
 
JimmyLarssonCommented:
Hello

You cannot do that on a Pix. You need to use something like policy based routing to change the next-hop-address based on protocol and that[ not available in Pix.

You can only have one activde default routing pointing outwards (to one ISP) at each time. An exemption to this is the dual ISP-feature in newer Os-versions which makes the firewall able to track the status of the primary ISP-connection and if it goes down change the default route to the second ISP. But this is a pure failover-solution.

Br Jimmy
0
 
lrmooreCommented:
Agree with Jimmy
The PIX can support dual ISP's only in failover mode, never in load-sharing mode.
The PIX simply cannot support policy based or source routing of any sort.

0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
HCCI_ITAuthor Commented:
Can a Cisco Layer 3 switch route based on protocol? I currently have a Layer 3 switch setup as my private LAN's gateway and it is doing all the routing.

If I have a second Firewall for the ISP_2 connection and can do the routing on my switch, will that work?
0
 
lrmooreCommented:
Depends. For example a Cisco 3560 with IP Base IOS cannot, but with IP Services version upgrade you get policy-based routing and other advanced routing features.
----------------------
The Cisco Catalyst 3560 is available with either the IP Base or IP Services software images and can be upgraded to the Advanced IP Services software image. The IP Base software (formerly called the Standard Multilayer Image or SMI) includes advanced QoS, rate-limiting, ACLs, and basic routing and IPv6 functionality. The IP Services software (formerly called the Enhanced Multilayer Image or EMI) provides a richer set of enterprise-class features, including advanced hardware-based IP unicast and IP Multicast routing as well as policy-based routing (PBR). The Advanced IP Services software includes IPv6 routing and IPv6 ACL support.
---------------------
Source:
http://www.cisco.com/en/US/products/hw/switches/ps5528/index.html

0
 
HCCI_ITAuthor Commented:
Does anyone have an route-map config example for this after I setup a second Firewall.

Basically I have 1 port on a 6500 switch routing traffic on internal private network (call it 192.168.1.1)

ISP_1 Firewall (192.168.21.10)
ISP_2 Firewall (192.168.21.20)

From the 6500 routing interface (192.168.21.1), all port 80 and 443 traffic go to ISP_1

All other traffic go to ISP_2

Thanks for your help

0
All Courses

From novice to tech pro — start learning today.