«

Hello all,

Been on here quite a bit about load balancing and such. We have a 3640 that
all of our site to site T1's terminate on. All internet traffic from all
sites flows through this router. We currently have 3 firewalls for 3
sifferent circuits. Each firewall is handling NAT for its own circuit. I
wish to eliminate 2 of the firewalls and use our PIX 515e to do all the PAT
and static NAT for all 3 circuits. Now I understand that the PIX can only
have 1 default route outside. So I wonder this:

Could we install a 4 port ethernet module in the 3640 and bind public IP's
to it, the do routing on it out to the internet. Basically the 3640 would
handle routing for all of our private IP's and our public ones. On the
router we currently have 3 default routes:

0.0.0.0 0.0.0.0 192.168.200.1
0.0.0.0 0.0.0.0 192.168.200.3
0.0.0.0 0.0.0.0 192.168.200.4
with the outbound eth interface being 192.168.200.2

What I am wanting to is pull to firewalls so we would only have 1 default
route on the 3640:
0.0.0.0 0.0.0.0 192.168.200.3 pointing to the PIX

The pix would NAT everything then forward it to an eth interface on that
same 3640, which would then load balance the outbound traffic to the
internet.

Is this even possible? It seems like I would be introducing a route loop if
I did this. If it is possible, how would I handle the default routes. It
would have 1 pre-natted pointing at the pix
0.0.0.0 0.0.0.0 192.168.200.3

The 1 route for each of our 3 internet circuits
0.0.0.0 0.0.0.0 100.100.100.1 (example)
0.0.0.0 0.0.0.0 100.100.200.1
0.0.0.0 0.0.0.0 100.100.300.1

How would the router cope with this?

Thanks alot!!!

Forrest

In article <cndp7f$4c71$>,
Forrest <> wrote:
>Hello all,
>
>Been on here quite a bit about load balancing and such. We have a 3640 that
>all of our site to site T1's terminate on. All internet traffic from all
>sites flows through this router. We currently have 3 firewalls for 3
>sifferent circuits. Each firewall is handling NAT for its own circuit. I
>wish to eliminate 2 of the firewalls and use our PIX 515e to do all the PAT
>and static NAT for all 3 circuits. Now I understand that the PIX can only
>have 1 default route outside. So I wonder this:
>
>Could we install a 4 port ethernet module in the 3640 and bind public IP's
>to it, the do routing on it out to the internet. Basically the 3640 would
>handle routing for all of our private IP's and our public ones. On the
>router we currently have 3 default routes:
>
>0.0.0.0 0.0.0.0 192.168.200.1
>0.0.0.0 0.0.0.0 192.168.200.3
>0.0.0.0 0.0.0.0 192.168.200.4
>with the outbound eth interface being 192.168.200.2
>
>What I am wanting to is pull to firewalls so we would only have 1 default
>route on the 3640:
>0.0.0.0 0.0.0.0 192.168.200.3 pointing to the PIX
>
>The pix would NAT everything then forward it to an eth interface on that
>same 3640, which would then load balance the outbound traffic to the
>internet.
>
>Is this even possible? It seems like I would be introducing a route loop if
>I did this. If it is possible, how would I handle the default routes. It
>would have 1 pre-natted pointing at the pix
>0.0.0.0 0.0.0.0 192.168.200.3
>
>The 1 route for each of our 3 internet circuits
>0.0.0.0 0.0.0.0 100.100.100.1 (example)
>0.0.0.0 0.0.0.0 100.100.200.1
>0.0.0.0 0.0.0.0 100.100.300.1
>
>How would the router cope with this?
>
>Thanks alot!!!
>
>Forrest

You can do what you want on the 3640 using policy routing. Whether
you should is another story, as is whether or not it will work once
you're done. For example, if each of your current three firewalls
NATs to a different IP address, you have another set of challenges
(think about how symmetric routing and connection maintenance will
be provided, and how Cisco routers do per session load balancing).

--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com

The other solution would be to have PIX to return NAT-ed traffic into VRF on
3640 which will perfectly
accomodate 3 extra default static routes.
HTH,
Cheers
Alex

"Vincent C Jones" <> wrote in message
news:cnfr5e$ngg$...
> In article <cndp7f$4c71$>,
> Forrest <> wrote:
> >Hello all,
> >
> >Been on here quite a bit about load balancing and such. We have a 3640
that
> >all of our site to site T1's terminate on. All internet traffic from all
> >sites flows through this router. We currently have 3 firewalls for 3
> >sifferent circuits. Each firewall is handling NAT for its own circuit.
I
> >wish to eliminate 2 of the firewalls and use our PIX 515e to do all the
PAT
> >and static NAT for all 3 circuits. Now I understand that the PIX can
only
> >have 1 default route outside. So I wonder this:
> >
> >Could we install a 4 port ethernet module in the 3640 and bind public
IP's
> >to it, the do routing on it out to the internet. Basically the 3640
would
> >handle routing for all of our private IP's and our public ones. On the
> >router we currently have 3 default routes:
> >
> >0.0.0.0 0.0.0.0 192.168.200.1
> >0.0.0.0 0.0.0.0 192.168.200.3
> >0.0.0.0 0.0.0.0 192.168.200.4
> >with the outbound eth interface being 192.168.200.2
> >
> >What I am wanting to is pull to firewalls so we would only have 1 default
> >route on the 3640:
> >0.0.0.0 0.0.0.0 192.168.200.3 pointing to the PIX
> >
> >The pix would NAT everything then forward it to an eth interface on that
> >same 3640, which would then load balance the outbound traffic to the
> >internet.
> >
> >Is this even possible? It seems like I would be introducing a route loop
if
> >I did this. If it is possible, how would I handle the default routes.
It
> >would have 1 pre-natted pointing at the pix
> >0.0.0.0 0.0.0.0 192.168.200.3
> >
> >The 1 route for each of our 3 internet circuits
> >0.0.0.0 0.0.0.0 100.100.100.1 (example)
> >0.0.0.0 0.0.0.0 100.100.200.1
> >0.0.0.0 0.0.0.0 100.100.300.1
> >
> >How would the router cope with this?
> >
> >Thanks alot!!!
> >
> >Forrest
>
> You can do what you want on the 3640 using policy routing. Whether
> you should is another story, as is whether or not it will work once
> you're done. For example, if each of your current three firewalls
> NATs to a different IP address, you have another set of challenges
> (think about how symmetric routing and connection maintenance will
> be provided, and how Cisco routers do per session load balancing).
>
> --
> Vincent C Jones, Consultant Expert advice and a helping hand
> Networking Unlimited, Inc. for those who want to manage and
> Tenafly, NJ Phone: 201 568-7810 control their networking destiny
> http://www.networkingunlimited.com