Sorry, I forgot to mention, the external interface of the PIX is connected to a leased line and this is the default gateway for PIX. The proxy server is the only client I want to use the ADSL (connected to another interface on the PIX). If I set the default gateway to the PIX, then traffic would continue across leased line (the objective is to move traffic from the proxy to the ADSL).

If the objective is to route Proxy's traffic towards ADSL, then point the default gateway towards ADSL.

I didnt get it why you are involving PIX then?

your ADSL router should have the support for NAT.

Thanks

Nadeem

It's currently policy to put all external traffic through the PIX so there is one administrator and one device to configure all filters etc. If the proxy server is connected directly to the ADSL router, then the PIX is potentially bypassed and security is reliant on a £100 ADSL router.

Just to summarise, this would mean a PIX 515 with a deafult gateway of a leased line to ISP (current config). We are proposing an ADSL line with router connected to another interface on the PIX, for use only by the proxy server.

Hi,

I think your point is to have some particular traffic go through the leased line (for example smtp that needs fixed IP), and the other traffic from proxy such as web to use ADSL line

I used to deal with such situations, you must be having one leased line router and one ADSL router outside your pix

leasedline router---pix---inside network

ADSL router -------/

This problem can be solved by using policy routing in your leased line router

1. Make sure the proxy server has its own NAT IP address in pix (I assume you use NAT in the pix), so you can differentiate between traffic sourced from proxy server and from other hosts

2. PIX should point its default gateway to leased line router, as your current setup

3. Create access-list in leased-line router to permit traffic from proxy server as source (proxy NAT IP definetely), simple acl can do:

access-list 1 permit [proxy IP]

4. Create route-map

route-map proxy permit 10

match ip address 1

set ip next-hop [ip address of ADSL ethernet]

route-map proxy permit 20

this route-map (sequence 10) will monitor traffic as per access-list 1, which is traffic from proxy server

It will then send this traffic to ADSL ethernet

The second sequence of route-map (20) is necessary to allow other traffic to goes to leased line router (processed normally)

5. Apply the route-map to ethernet interface of leased line router

interface f0/0

ip policy route-map proxy

6. You can verify your policy routing by checking the access-list 1 hit counter and route-map counter

sh access-l

sh route-m

I suggest you to check cisco site for policy routing, but example above should work

Hope this help

Thanks for your reply.

Yes, it is true, policy routing would be ideal, becuase I am trying to achieve exactly what you say. However, the leased line router is managed by our ISP and they are unwilling to implement this. At this time, it is not appropriate for us to replace this with our own router to allow this change. I don't think you can do policy routing on the PIX either, can you ?

This is why I was coming from the view point of giving the ASDL router a static NAT on internal network and pointing Proxy server at it, and restricting traffic to just the Proxy. I am having some trouble getting this working though and wondered if any else had any other suggestions.

How about replacing the £100 adsl router with a cisco 837 and doing the pbr on that ? Expensive but do-able !

Barry.