Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Walter Roberson...HELP! (http://www.velocityreviews.com/forums/t29660-walter-roberson-help.html)

BitBucket 10-21-2003 06:40 PM

Walter Roberson...HELP!
 
I need help. We have a T1 and a DSL circuit coming into our PIX 515e.
There is NO router in front of the PIX. The connections come in via
ethernet from both of the isp's. The isp's are seperate and are not in a
contiguous ip address space. Inside we have a class A network (10.0.0.0)
that is subnetted into 5 class B networks (10.1.0.0, 10.2.0.0, 10.3.0.0,
10.4.0.0, 10.5.0.0). We would like to send outbound traffic from 10.1.0.0
and 10.2.0.0 out the DSL circuit and the outbound traffic from 10.3.0.0,
10.4.0.0, and 10.5.0.0 out the T1. Is this possible to do without having a
head end router? I have had 2 CCIE's tell me it is but have no further
infomration from them as to how it is done.

We can route based on destination IP or network all day. Man would it be
cool if we could route based on source network. That should be an
addition to version 6.3(4)!

Thanks!



Ivan Ostres 10-22-2003 08:13 AM

Re: Walter Roberson...HELP!
 
"BitBucket" <nospam@blueridgebdc.org> wrote in message
news:bn3uj6$154f$1@news3.infoave.net...
> I need help. We have a T1 and a DSL circuit coming into our PIX 515e.
> There is NO router in front of the PIX. The connections come in via
> ethernet from both of the isp's. The isp's are seperate and are not in a
> contiguous ip address space. Inside we have a class A network (10.0.0.0)
> that is subnetted into 5 class B networks (10.1.0.0, 10.2.0.0, 10.3.0.0,
> 10.4.0.0, 10.5.0.0). We would like to send outbound traffic from 10.1.0.0
> and 10.2.0.0 out the DSL circuit and the outbound traffic from 10.3.0.0,
> 10.4.0.0, and 10.5.0.0 out the T1. Is this possible to do without having

a
> head end router? I have had 2 CCIE's tell me it is but have no further
> infomration from them as to how it is done.
>
> We can route based on destination IP or network all day. Man would it be
> cool if we could route based on source network. That should be an
> addition to version 6.3(4)!
>


I think that it would be "Policy NAT"

Ivan



Rik Bain 10-22-2003 02:14 PM

Re: Walter Roberson...HELP!
 
On Wed, 22 Oct 2003 21:16:39 +0600, Mike Gallagher wrote:

> Policy NAT will determine your NAT address based on
> source/destination/port (whatever you specify in the ACL), but that will
> not determine how you are routed. For what you want to do, you'll need
> two NAT pools, but not necessarily policy NAT because you don't need to
> specify a different NAT address based on the destination, just the
> source.
>
> To route based on destination you need policy routing. In 6.3 the PIX
> introduced route maps. The documentation ties this with OSPF, but it
> still may work without it (never tried). Here is a link to the doc.
>
> http://www.cisco.com/univercd/cc/td/...mr.htm#1017196
>
> You'll most likely have something like this (in addition to your NAT
> groups).
>
> access-list dsl permit ip 10.1.0.0 255.255.0.0 any access-list dsl
> permit ip 10.2.0.0 255.255.0.0 any access-list t1 permit ip 10.3.0.0
> 255.255.0.0 any access-list t1 permit ip 10.4.0.0 255.255.0.0 any
> access-list t1 permit ip 10.5.0.0 255.255.0.0 any
>
> route-map outbound permit 10
> match ip address dsl
> set ip next-hop <ip address of dsl router> route-map outbound permit 20
> match ip address t1
> set ip next-hop <ip address of T1 router>
>
> HTH - Mike



NAH, route-maps on pix are not for PBR.....one day.

Mike Gallagher 10-22-2003 03:16 PM

Re: Walter Roberson...HELP!
 
Policy NAT will determine your NAT address based on
source/destination/port (whatever you specify in the ACL), but that
will not determine how you are routed. For what you want to do,
you'll need two NAT pools, but not necessarily policy NAT because you
don't need to specify a different NAT address based on the
destination, just the source.

To route based on destination you need policy routing. In 6.3 the PIX
introduced route maps. The documentation ties this with OSPF, but it
still may work without it (never tried). Here is a link to the doc.

http://www.cisco.com/univercd/cc/td/...mr.htm#1017196

You'll most likely have something like this (in addition to your NAT
groups).

access-list dsl permit ip 10.1.0.0 255.255.0.0 any
access-list dsl permit ip 10.2.0.0 255.255.0.0 any
access-list t1 permit ip 10.3.0.0 255.255.0.0 any
access-list t1 permit ip 10.4.0.0 255.255.0.0 any
access-list t1 permit ip 10.5.0.0 255.255.0.0 any

route-map outbound permit 10
match ip address dsl
set ip next-hop <ip address of dsl router>
route-map outbound permit 20
match ip address t1
set ip next-hop <ip address of T1 router>

HTH - Mike


"Ivan Ostres" <john@fly.srk.fer.hr> wrote in message news:<bn5e7m$tafm6$1@ID-61273.news.uni-berlin.de>...
> "BitBucket" <nospam@blueridgebdc.org> wrote in message
> news:bn3uj6$154f$1@news3.infoave.net...
> > I need help. We have a T1 and a DSL circuit coming into our PIX 515e.
> > There is NO router in front of the PIX. The connections come in via
> > ethernet from both of the isp's. The isp's are seperate and are not in a
> > contiguous ip address space. Inside we have a class A network (10.0.0.0)
> > that is subnetted into 5 class B networks (10.1.0.0, 10.2.0.0, 10.3.0.0,
> > 10.4.0.0, 10.5.0.0). We would like to send outbound traffic from 10.1.0.0
> > and 10.2.0.0 out the DSL circuit and the outbound traffic from 10.3.0.0,
> > 10.4.0.0, and 10.5.0.0 out the T1. Is this possible to do without having

> a
> > head end router? I have had 2 CCIE's tell me it is but have no further
> > infomration from them as to how it is done.
> >
> > We can route based on destination IP or network all day. Man would it be
> > cool if we could route based on source network. That should be an
> > addition to version 6.3(4)!
> >

>
> I think that it would be "Policy NAT"
>
> Ivan


Ivan Ostres 10-23-2003 07:28 AM

Re: Walter Roberson...HELP!
 
"Mike Gallagher" <mike@ieee.org> wrote in message
news:8f82cdbc.0310220716.6fd0281d@posting.google.c om...
> Policy NAT will determine your NAT address based on
> source/destination/port (whatever you specify in the ACL), but that
> will not determine how you are routed. For what you want to do,
> you'll need two NAT pools, but not necessarily policy NAT because you
> don't need to specify a different NAT address based on the
> destination, just the source.
>
> To route based on destination you need policy routing. In 6.3 the PIX
> introduced route maps. The documentation ties this with OSPF, but it
> still may work without it (never tried). Here is a link to the doc.
>


They tie route maps with ospf because they are there AFAIK, just for OSPF.
Policy routing doesn't work.

Ivan



Mike Gallagher 10-23-2003 01:42 PM

Re: Walter Roberson...HELP!
 
Yeah, I just confirmed in the lab. route-maps on the PIX are only for
route redistribution. It was worth a shot though. So basically, I
don't think there is a way to do what you are looking for without
another device doing the PBR (or some other mechanism) for you.

If there is, I'd love to know about it.

Mike
Rik Bain <rik@remove.bainz.org> wrote in message news:<pan.2003.10.22.20.14.24.854772.3267@remove.b ainz.org>...
> On Wed, 22 Oct 2003 21:16:39 +0600, Mike Gallagher wrote:
>
> > Policy NAT will determine your NAT address based on
> > source/destination/port (whatever you specify in the ACL), but that will
> > not determine how you are routed. For what you want to do, you'll need
> > two NAT pools, but not necessarily policy NAT because you don't need to
> > specify a different NAT address based on the destination, just the
> > source.
> >
> > To route based on destination you need policy routing. In 6.3 the PIX
> > introduced route maps. The documentation ties this with OSPF, but it
> > still may work without it (never tried). Here is a link to the doc.
> >
> > http://www.cisco.com/univercd/cc/td/...mr.htm#1017196
> >
> > You'll most likely have something like this (in addition to your NAT
> > groups).
> >
> > access-list dsl permit ip 10.1.0.0 255.255.0.0 any access-list dsl
> > permit ip 10.2.0.0 255.255.0.0 any access-list t1 permit ip 10.3.0.0
> > 255.255.0.0 any access-list t1 permit ip 10.4.0.0 255.255.0.0 any
> > access-list t1 permit ip 10.5.0.0 255.255.0.0 any
> >
> > route-map outbound permit 10
> > match ip address dsl
> > set ip next-hop <ip address of dsl router> route-map outbound permit 20
> > match ip address t1
> > set ip next-hop <ip address of T1 router>
> >
> > HTH - Mike

>
>
> NAH, route-maps on pix are not for PBR.....one day.



All times are GMT. The time now is 11:25 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.