06-06-2005 06:21 AM - edited 02-21-2020 12:11 AM
Hi all,
I would like to have two wan routers in the outside network of my pix, and perform a basic polic based routing, I mean, depends on what IP is going to the internet, the router send the packets to one default router or to another.
Is that config possible ??
Regards,
Luis Miguel.
06-06-2005 07:12 AM
It is about the only way you can use a single pix (or failover bundle) to handle two internet connections each with their own IP allocation.
The main issue to be resolved is not the outbound policy routing, mapping IP to correct ISP, which is straight forward, but the detection and handling of the various points of failure.
I set up two 2600 with 3 interfaces each:
Inside interfaces presenting a single IP via HSRP, tracking the ISP interfaces.
Router-router interfaces running an IGP routing protocol
ISP-facing interfaces which need to be directly connected to the ISP router if you want to detect interface down.
Its not very elegant, so I waited for PIX 7 because I was told that it would be able to support policy routing, but it was not so :(
06-14-2005 06:53 AM
Regarding the detection of failure...
Check this page:
http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml
If you run a routing-protocol against the ISP's it's even easier.. you don't have to do ping-tests.. :)
I haven't seen any policy-routing in the PIX either..
v7.0 has ECMP support for up to 3 equal-cost gateways, but they are just load-balanced and has to be on the same interface.
06-06-2005 01:44 PM
yes, it's possible.
06-07-2005 01:17 AM
Can you clarify how ?
06-19-2005 10:00 AM
isp1-------R1----.2------|
| |
| HSRP .1 |---------.4-PIX------
| |
isp2-------R2----.3------|
you can run OSPF between R1,R2,PIX or use default route to HSRP-ip-addreess
odd inside hosts will be translated to ISP1 address space
nat(inside) 1 0.0.0.1 0.0.0.1
global(outside) 1 ISP1-ip-address
even inside hosts will be translated to ISP2 address space
nat(inside) 2 0.0.0.0 0.0.0.1
global(outside) 2 ISP2-ip-address
on R1, R2 you must have policy-routing.
06-20-2005 02:59 AM
Hi Luis,
I'm no PIX expert, but I believe you can achieve what you are refering to by using Policy NAT.
See the last config example called "Use Policy NAT" in the following URL.
You may also have a LOT more flexibility determining which local IP ranges to use in your policy decisions with PIX OS v7.0.
Cheers,
Dave.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide