Complicated Router Config Question

Discussion in 'Cisco' started by Forrest, Nov 16, 2004.

  1. Forrest

    Forrest Guest

    Hello all,

    Been on here quite a bit about load balancing and such. We have a 3640 that
    all of our site to site T1's terminate on. All internet traffic from all
    sites flows through this router. We currently have 3 firewalls for 3
    sifferent circuits. Each firewall is handling NAT for its own circuit. I
    wish to eliminate 2 of the firewalls and use our PIX 515e to do all the PAT
    and static NAT for all 3 circuits. Now I understand that the PIX can only
    have 1 default route outside. So I wonder this:

    Could we install a 4 port ethernet module in the 3640 and bind public IP's
    to it, the do routing on it out to the internet. Basically the 3640 would
    handle routing for all of our private IP's and our public ones. On the
    router we currently have 3 default routes:

    0.0.0.0 0.0.0.0 192.168.200.1
    0.0.0.0 0.0.0.0 192.168.200.3
    0.0.0.0 0.0.0.0 192.168.200.4
    with the outbound eth interface being 192.168.200.2

    What I am wanting to is pull to firewalls so we would only have 1 default
    route on the 3640:
    0.0.0.0 0.0.0.0 192.168.200.3 pointing to the PIX

    The pix would NAT everything then forward it to an eth interface on that
    same 3640, which would then load balance the outbound traffic to the
    internet.

    Is this even possible? It seems like I would be introducing a route loop if
    I did this. If it is possible, how would I handle the default routes. It
    would have 1 pre-natted pointing at the pix
    0.0.0.0 0.0.0.0 192.168.200.3

    The 1 route for each of our 3 internet circuits
    0.0.0.0 0.0.0.0 100.100.100.1 (example)
    0.0.0.0 0.0.0.0 100.100.200.1
    0.0.0.0 0.0.0.0 100.100.300.1

    How would the router cope with this?

    Thanks alot!!!

    Forrest
     
    Forrest, Nov 16, 2004
    #1
    1. Advertising

  2. In article <cndp7f$4c71$>,
    Forrest <> wrote:
    >Hello all,
    >
    >Been on here quite a bit about load balancing and such. We have a 3640 that
    >all of our site to site T1's terminate on. All internet traffic from all
    >sites flows through this router. We currently have 3 firewalls for 3
    >sifferent circuits. Each firewall is handling NAT for its own circuit. I
    >wish to eliminate 2 of the firewalls and use our PIX 515e to do all the PAT
    >and static NAT for all 3 circuits. Now I understand that the PIX can only
    >have 1 default route outside. So I wonder this:
    >
    >Could we install a 4 port ethernet module in the 3640 and bind public IP's
    >to it, the do routing on it out to the internet. Basically the 3640 would
    >handle routing for all of our private IP's and our public ones. On the
    >router we currently have 3 default routes:
    >
    >0.0.0.0 0.0.0.0 192.168.200.1
    >0.0.0.0 0.0.0.0 192.168.200.3
    >0.0.0.0 0.0.0.0 192.168.200.4
    >with the outbound eth interface being 192.168.200.2
    >
    >What I am wanting to is pull to firewalls so we would only have 1 default
    >route on the 3640:
    >0.0.0.0 0.0.0.0 192.168.200.3 pointing to the PIX
    >
    >The pix would NAT everything then forward it to an eth interface on that
    >same 3640, which would then load balance the outbound traffic to the
    >internet.
    >
    >Is this even possible? It seems like I would be introducing a route loop if
    >I did this. If it is possible, how would I handle the default routes. It
    >would have 1 pre-natted pointing at the pix
    >0.0.0.0 0.0.0.0 192.168.200.3
    >
    >The 1 route for each of our 3 internet circuits
    >0.0.0.0 0.0.0.0 100.100.100.1 (example)
    >0.0.0.0 0.0.0.0 100.100.200.1
    >0.0.0.0 0.0.0.0 100.100.300.1
    >
    >How would the router cope with this?
    >
    >Thanks alot!!!
    >
    >Forrest


    You can do what you want on the 3640 using policy routing. Whether
    you should is another story, as is whether or not it will work once
    you're done. For example, if each of your current three firewalls
    NATs to a different IP address, you have another set of challenges
    (think about how symmetric routing and connection maintenance will
    be provided, and how Cisco routers do per session load balancing).

    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
     
    Vincent C Jones, Nov 17, 2004
    #2
    1. Advertising

  3. Forrest

    JNCIP#0136 Guest

    The other solution would be to have PIX to return NAT-ed traffic into VRF on
    3640 which will perfectly
    accomodate 3 extra default static routes.
    HTH,
    Cheers
    Alex

    "Vincent C Jones" <> wrote in message
    news:cnfr5e$ngg$...
    > In article <cndp7f$4c71$>,
    > Forrest <> wrote:
    > >Hello all,
    > >
    > >Been on here quite a bit about load balancing and such. We have a 3640

    that
    > >all of our site to site T1's terminate on. All internet traffic from all
    > >sites flows through this router. We currently have 3 firewalls for 3
    > >sifferent circuits. Each firewall is handling NAT for its own circuit.

    I
    > >wish to eliminate 2 of the firewalls and use our PIX 515e to do all the

    PAT
    > >and static NAT for all 3 circuits. Now I understand that the PIX can

    only
    > >have 1 default route outside. So I wonder this:
    > >
    > >Could we install a 4 port ethernet module in the 3640 and bind public

    IP's
    > >to it, the do routing on it out to the internet. Basically the 3640

    would
    > >handle routing for all of our private IP's and our public ones. On the
    > >router we currently have 3 default routes:
    > >
    > >0.0.0.0 0.0.0.0 192.168.200.1
    > >0.0.0.0 0.0.0.0 192.168.200.3
    > >0.0.0.0 0.0.0.0 192.168.200.4
    > >with the outbound eth interface being 192.168.200.2
    > >
    > >What I am wanting to is pull to firewalls so we would only have 1 default
    > >route on the 3640:
    > >0.0.0.0 0.0.0.0 192.168.200.3 pointing to the PIX
    > >
    > >The pix would NAT everything then forward it to an eth interface on that
    > >same 3640, which would then load balance the outbound traffic to the
    > >internet.
    > >
    > >Is this even possible? It seems like I would be introducing a route loop

    if
    > >I did this. If it is possible, how would I handle the default routes.

    It
    > >would have 1 pre-natted pointing at the pix
    > >0.0.0.0 0.0.0.0 192.168.200.3
    > >
    > >The 1 route for each of our 3 internet circuits
    > >0.0.0.0 0.0.0.0 100.100.100.1 (example)
    > >0.0.0.0 0.0.0.0 100.100.200.1
    > >0.0.0.0 0.0.0.0 100.100.300.1
    > >
    > >How would the router cope with this?
    > >
    > >Thanks alot!!!
    > >
    > >Forrest

    >
    > You can do what you want on the 3640 using policy routing. Whether
    > you should is another story, as is whether or not it will work once
    > you're done. For example, if each of your current three firewalls
    > NATs to a different IP address, you have another set of challenges
    > (think about how symmetric routing and connection maintenance will
    > be provided, and how Cisco routers do per session load balancing).
    >
    > --
    > Vincent C Jones, Consultant Expert advice and a helping hand
    > Networking Unlimited, Inc. for those who want to manage and
    > Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    > http://www.networkingunlimited.com
     
    JNCIP#0136, Nov 22, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. iixv
    Replies:
    0
    Views:
    839
  2. Joey
    Replies:
    0
    Views:
    465
  3. kartik
    Replies:
    2
    Views:
    481
    Barry Margolin
    Oct 28, 2005
  4. vbMark

    Complicated music downloading legality question

    vbMark, Nov 1, 2004, in forum: Computer Support
    Replies:
    14
    Views:
    987
    Millimeter
    Nov 12, 2004
  5. brhjunior

    Complicated Network/Printer Question

    brhjunior, Nov 6, 2008, in forum: Wireless Networking
    Replies:
    0
    Views:
    468
    brhjunior
    Nov 6, 2008
Loading...

Share This Page