Solved: Re: Routes in PIX - Prioratization....

josephsilvin · ‎03-14-2003

I am using Cisco PIX version 6.2(2). I have configured six DMZs on the PIX. Out of these 2 DMZs are configured to the Internet - one through DSL and another through a Leased circuits.

I want to allow (say) 5 users to use the Internet through the DSL and another 5 users to use the Net through Leased Line, all of them simultnaeously.

route outside 0.0.0.0 0.0.0.0 62.4.1.1

route dmz 0.0.0.0 0.0.0.0 61.3.5.7

My problems is that out of the above routes, whichever I give a metric 1 all the above 10 users go through that route.

I had tried to give NAT to the two set of users through different interfaces as follows:

global (outside) 1 62.4.1.2

global (dmz) 2 interface

But, both try to use the first route (if that has metric 1) i.e. one default route, to go to the net as, I am not able to control the route based on origination. The current route command can base route on destination.

What is a solution or work around ?

Also, in case the either the DSL or Leased circuit goes down, I want all the ten users to go throughthe interface which is up.

Please HELP.

shannong · ‎03-14-2003

You are looking for source-based routing, which the Pix does not do.

What you could do instead is have the router for each connection NAT the source address as it comes in. For example, router A NATs the source addresses to 10.0.0.0/8. Router b NATs the source addresses to 172.16.0.0/20. Then you place routes in the Pix that points appropriately to both routers. Of course, the nat/global statements on the Pix will ensure that traffic is NATted correctly for the ISP of that router.

The problem is outbound "load-balancing". The only way I know to accomplish this is two have two Pix interfaces on the inside also. That way you can have the router do source-based routing on the inside to split the traffic between the 10 internal source IPs. On ingress. the traffic matches an ACL and routes some users out one interface, and the others out the other interface.

If you wait until Pix code 6.3, you'll be able to use sub-interfaces on the Pix's interfaces. Then you can use a single physical interface for the inside and the outside to have "two" interfaces. Of course, a decent router can already do multiple interfaces on a single interface. Hopefully, you're using a decent router internally.

View solution in original post

shannong · ‎03-14-2003

You are looking for source-based routing, which the Pix does not do.

What you could do instead is have the router for each connection NAT the source address as it comes in. For example, router A NATs the source addresses to 10.0.0.0/8. Router b NATs the source addresses to 172.16.0.0/20. Then you place routes in the Pix that points appropriately to both routers. Of course, the nat/global statements on the Pix will ensure that traffic is NATted correctly for the ISP of that router.

The problem is outbound "load-balancing". The only way I know to accomplish this is two have two Pix interfaces on the inside also. That way you can have the router do source-based routing on the inside to split the traffic between the 10 internal source IPs. On ingress. the traffic matches an ACL and routes some users out one interface, and the others out the other interface.

If you wait until Pix code 6.3, you'll be able to use sub-interfaces on the Pix's interfaces. Then you can use a single physical interface for the inside and the outside to have "two" interfaces. Of course, a decent router can already do multiple interfaces on a single interface. Hopefully, you're using a decent router internally.

josephsilvin · ‎03-16-2003

Thanks shannong.

But, is it possible to create a site to site vpn on the side with the least traffic going through it. If the vpn deems traffic interesting (needing t go out route a) it will send it through the vpn otherwise it will automatically go out the default route.