Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PBR. Router and PIX Same LAN

Reply
Thread Tools

PBR. Router and PIX Same LAN

 
 
jnez367@yahoo.com
Guest
Posts: n/a
 
      04-23-2005
I need to route traffic to the Internet through a PIX and send traffic
to my branch through a pvc bypassing the pix. (RFC1918 addresses)
Where should my route map be assigned? I have everything working with
the route map on atm1/0.2 from Internet next hop pix outside intf, but
I am not sure this is correct. I saw a similar Cisco doc that has the
route map on the ethernet Intf of the router.

>From Branch

--------- Router
atm 1/0.1 atm1/0.2 PBR next-hop
| | PIX outside any IP
| |
| | fa0/1
| |
| Pix
fa0/0 | |
-----------------------
LAN

 
Reply With Quote
 
 
 
 
Tony Clifton
Guest
Posts: n/a
 
      04-23-2005
I don't quite understand what you are trying to achieve, but pbr is always
applied on the interface on which packets are received, not the outgoing
interface, so your configuration should be ok.

/TC

<(E-Mail Removed)> skrev i meddelandet
news:(E-Mail Removed) oups.com...
>I need to route traffic to the Internet through a PIX and send traffic
> to my branch through a pvc bypassing the pix. (RFC1918 addresses)
> Where should my route map be assigned? I have everything working with
> the route map on atm1/0.2 from Internet next hop pix outside intf, but
> I am not sure this is correct. I saw a similar Cisco doc that has the
> route map on the ethernet Intf of the router.
>
>>From Branch

> --------- Router
> atm 1/0.1 atm1/0.2 PBR next-hop
> | | PIX outside any IP
> | |
> | | fa0/1
> | |
> | Pix
> fa0/0 | |
> -----------------------
> LAN
>



 
Reply With Quote
 
 
 
 
jnez367@yahoo.com
Guest
Posts: n/a
 
      04-23-2005
Thanks. I just want to be sure incoming internet traffic does not
bypass the pix. It should not because my routing table shows a
connected route to the pix fa0/1 network. I did not think I would need
PBR, but I could not get things going without it.

Traffic from the branch building will be coming in on a non-routable
ip. I would expect the pix would drop it if it hit the outside intf.
That is why I have the two gateway devices on one LAN. Is there a
better way to do this? Connect the other pix interface to the branch's
on fa0/0?

 
Reply With Quote
 
Tony Clifton
Guest
Posts: n/a
 
      04-23-2005
Ok I think I understand the scenario now.

In this case I would configure separate routing instances with VRFs on the
"outside" router.

For example you can create two instances, one for the branch office and
another for the internet. Each VRF has its own IP routing table, CEF table,
and two interfaces that use this forwarding table. No information can leak
between interfaces in different VRFs.

Think of it as a kind of VPN, or MPLS "light".

Regards,

/TC

<(E-Mail Removed)> skrev i meddelandet
news:(E-Mail Removed) oups.com...
> Thanks. I just want to be sure incoming internet traffic does not
> bypass the pix. It should not because my routing table shows a
> connected route to the pix fa0/1 network. I did not think I would need
> PBR, but I could not get things going without it.
>
> Traffic from the branch building will be coming in on a non-routable
> ip. I would expect the pix would drop it if it hit the outside intf.
> That is why I have the two gateway devices on one LAN. Is there a
> better way to do this? Connect the other pix interface to the branch's
> on fa0/0?
>



 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      04-23-2005
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:
:I need to route traffic to the Internet through a PIX and send traffic
:to my branch through a pvc bypassing the pix. (RFC1918 addresses)

Why not have the traffic go through the PIX, but use

nat (inside) 0 access-list ACLNAME

That disables NAT for traffic that matches the ACL (note: the ACL
is read with the inside traffic being in the first field and the
outside being in the second field; so for traffic going out,
it is read in the normal source-then-dest sense, and for traffic
coming in it is read in "in reverse")

--
Would you buy a used bit from this man??
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 515 - can Use VPN300 Client and PIX-to-PIX VPN at the same time? Stephen M Cisco 1 11-14-2006 02:03 PM
LAN-to-LAN involving PIX and VPN Chris Kranz Cisco 3 08-23-2005 04:15 PM
Lan to Lan on same subnet jspr Cisco 4 04-12-2005 05:55 PM
Problem with lan to lan from Pix 501 and Vpnconcentrator behind a Checkpoint Firewall one (post #2) Gianlu Cisco 2 07-05-2004 07:38 AM
Problem with lan to lan from Pix 501 and Vpnconcentrator behind a Checkpoint Firewall one Gianlu Cisco 0 07-02-2004 03:34 PM



Advertisments