Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 525, I think I need Policy-based routing??

Reply
Thread Tools

PIX 525, I think I need Policy-based routing??

 
 
Arthur Brain
Guest
Posts: n/a
 
      04-24-2007
the picture:
PIX has one External interface to the ISP

PIX has one Inside interface to the network

PIX has 3rd interface direct to the network core


What I've been asked to do:
(Don't blame me for the current setup, I would have set the ISP
connection up as a trunk with VPN on a different VLAN if I had been
involved in building this).

VPN users coming in via the ISP need to be routed to the 3rd
interface, so that their internet-connection attempts can be routed
via the web-filtering thingie, before coming back to the PIX on the
Inside interface.
At this stage, traffic that is Source:VPN_Subnets/Dest:Internet BUT
coming in on Inside interface, needs to just use the normal default
route.


I haven't played with PIXs much, and I would never set this up this
way in the first place (had I been asked) but apparently they are no
longer talking to their ISP, or willing to change anything else, so
I'm stuck crossing my fingers that PBR can do this.

Can it?

If so, can you give me some rough (or even detailed!) hints?

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      04-24-2007
In article <(E-Mail Removed). com>,
Arthur Brain <(E-Mail Removed)> wrote:
>PIX has one External interface to the ISP
>PIX has one Inside interface to the network
>PIX has 3rd interface direct to the network core


>What I've been asked to do:


>VPN users coming in via the ISP need to be routed to the 3rd
>interface, so that their internet-connection attempts can be routed
>via the web-filtering thingie, before coming back to the PIX on the
>Inside interface.
>At this stage, traffic that is Source:VPN_Subnets/Dest:Internet BUT
>coming in on Inside interface, needs to just use the normal default
>route.


You can't do Policy Based Routing on a PIX, not even in PIX 7.x.

What you -might- be able to do with PIX 7.x is use "security
contexts". I haven't looked at those, so I don't know what the
limitations are. I wouldn't be surprised, though, if any one
interface could only be part of one security context: if that were
the case then you'd probably need to use at least one VLAN interface...
but likely that VLAN would end up being on the outside interface,
which would Not Be Good for your situation.
 
Reply With Quote
 
 
 
 
Frank Winkler
Guest
Posts: n/a
 
      04-24-2007
Arthur Brain wrote:

>VPN users coming in via the ISP need to be routed to the 3rd
>interface, so that their internet-connection attempts can be routed
>via the web-filtering thingie, before coming back to the PIX on the
>Inside interface.


Why not forcing them through a proxy, having them inwards and back outwards
on the inside interface?

Regards

fw
 
Reply With Quote
 
Brian V
Guest
Posts: n/a
 
      04-24-2007

"Walter Roberson" <(E-Mail Removed)> wrote in message
news:u7hXh.121744$6m4.107665@pd7urf1no...
> In article <(E-Mail Removed). com>,
> Arthur Brain <(E-Mail Removed)> wrote:
>>PIX has one External interface to the ISP
>>PIX has one Inside interface to the network
>>PIX has 3rd interface direct to the network core

>
>>What I've been asked to do:

>
>>VPN users coming in via the ISP need to be routed to the 3rd
>>interface, so that their internet-connection attempts can be routed
>>via the web-filtering thingie, before coming back to the PIX on the
>>Inside interface.
>>At this stage, traffic that is Source:VPN_Subnets/Dest:Internet BUT
>>coming in on Inside interface, needs to just use the normal default
>>route.

>
> You can't do Policy Based Routing on a PIX, not even in PIX 7.x.
>
> What you -might- be able to do with PIX 7.x is use "security
> contexts". I haven't looked at those, so I don't know what the
> limitations are. I wouldn't be surprised, though, if any one
> interface could only be part of one security context: if that were
> the case then you'd probably need to use at least one VLAN interface...
> but likely that VLAN would end up being on the outside interface,
> which would Not Be Good for your situation.


Some of the limitations of multi context are:
1, No VPN.
2, No OSPF (or RIP). Statics only
3, No Multicast.
4, No ISP redundancy configuration. This I cannot find documented anywhere
but spent days with TAC on it, they couldn't get it to work either. There is
still a case open on this, going on 4 months now....develpors are involved
at this point.

You can have the same interface on multiple contexts, IE a single internal
interface X.X.X.X used, it's refered to as a shared interrface. When using a
shared interface it relies on the static NATs as the classifier to tell the
ASA/Pix/FWSM which context to deleiver the traffic thru. When using a shared
interface you cannot use NAT 0 lists because of the way the classifier
works.

Here's a decent link on multiple context on 7.2
http://www.cisco.com/en/US/products/...080636f9b.html





 
Reply With Quote
 
Arthur Brain
Guest
Posts: n/a
 
      04-27-2007

Frank Winkler wrote:
> Arthur Brain wrote:
>
> >VPN users coming in via the ISP need to be routed to the 3rd
> >interface, so that their internet-connection attempts can be routed
> >via the web-filtering thingie, before coming back to the PIX on the
> >Inside interface.

>
> Why not forcing them through a proxy, having them inwards and back outwards
> on the inside interface?


Presumably, when I present them with the solution for doing it on the
PIX, which looks like it will work by enabling security contexts,
segregating traffic by destination address (only the VPN-source
traffic will have external addresses on it AND come through the
external PIX interface), and using up an extra interface to route that
traffic inside of their web-filtering thingie, they will decide there
is an easier way of doing it.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help: Is Quick-Union-Find the right solution to this problem (Now I don't think so and I think that topological sorting should be the way to go...?) ? aredo3604gif@yahoo.com C Programming 1 04-13-2005 12:48 AM
Need help: Is Quick-Union-Find the right solution to this problem (Now I don't think so and I think that topological sorting should be the way to go...?) ? aredo3604gif@yahoo.com C Programming 0 04-12-2005 05:06 PM
Think your Wireless Network is Secure? Think Again. Careers Computer Security 7 01-31-2004 07:04 AM
[pix] desperatly need help with PIX-to-PIX config Remco Bressers Cisco 1 11-21-2003 08:58 PM
Think Off Brand Inks Are Just as Good in your Inkjet Printer - Think Again! John Horner Digital Photography 5 11-09-2003 09:38 PM



Advertisments