routing with multiple internet connections

current setup: Cisco Catalyst 4507R and Cisco PIX515E with single 10Mb connection - on 4507R "Cisco PIX515E"

we are adding another 100Mb line with a separate firewall, which is not replacing the existing line and in fact is likely to be used by one web server

how can this be done so that traffic from one or more hosts is routed through this new line for all destinations. presently the 4507R is using "ip route 0.0.0.0 0.0.0.0 192.168.110.254", where the 192.168.110.254 is the address of PIX515E
any code examples?

LVL 1
gddl630Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

HodepineCommented:
Do you need connectivity between the hosts using the two different internet connections?

How are they connected now? All in one LAN or do you use DMZs?

You could solve this by using policy routing, basically all traffic from such and such host, set next hop such and such, but depending on your current setup you can do it in a much easier way as well. Have the firewalls in the same inside network (192.168.110.253 for the second fw for example), and just set default gateway to the new firewall for hosts that will use that connection.

If all inside hosts are in the same network, this'll work without any extra configuration, if there are more than one inside network (LAN and DMZ for example) some static routing might be needed to keep connectivity between those networks. Depends on how you do it...
0
gddl630Author Commented:
we have no DMZ - our MPLS provider at the time could not deliver DMZ on multiple sites

hosts will be on same subnet and yes they should be able to communicate with each other

as for the default gateway - I prefer not to have to change it on every host, because yes for now only one or few servers will use the new connection, but that may change with little notice
0
HodepineCommented:
Are your hosts also in the 192.168.110.0 network?

And you say the 4507R has 192.168.110.254 as default gateway. Is this the gateway for the rest of the hosts as well, or does the 4507R do some routing too?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

gddl630Author Commented:
no hosts are on 10.0.x.x
192.168.110.x is a separate vlan and the firewall is connected directly to one of the 4507R's ports

for all hosts internally on the network the 4507R is the gateway and the all traffic with destination external to us is presently sent to firewall using this line on 4507R "ip route 0.0.0.0 0.0.0.0 192.168.110.254"
0
HodepineCommented:
Ok, I see. What you need then is policy based routing (aka PBR).

access-list 1 permit ip 10.0.x.x (your source addresses to be policy routed to the old gateway).
access-list 2 permit ip 10.0.y.y (your source addresses to be policy routed to the new gateway).
!
interface fastethernet 3/1
 ip policy route-map your-map-name
!
route-map your-map-name permit 10
 match ip address 1
 set ip default next-hop 192.168.110.254
route-map your-map-name permit 20
 match ip address 2
 set ip default next-hop 192.168.110.253

First of all, check if the command "ip policy" is supported on your interface, can't remember if it's supported in ip base or if you need ip services. You could also do it with just the one permit and let all other traffic just use the regular default gateway, but I can't give any advice on what's better, since I don't know your complete setup.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HodepineCommented:
Interface is the inbound interface, btw, and I guess you could use it on a vlan interface as well.
0
gddl630Author Commented:
no ip policy, but service-policy is available

thanks for you help
0
HodepineCommented:
Service policy is for qos, has nothing to do with PBR unfortunately.
0
gddl630Author Commented:
according to cisco this will only work on a layer 3 interface, which is why previously it appeared that it is not present
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.