PBR. Router and PIX Same LAN

Discussion in 'Cisco' started by jnez367@yahoo.com, Apr 23, 2005.

  1. Guest

    I need to route traffic to the Internet through a PIX and send traffic
    to my branch through a pvc bypassing the pix. (RFC1918 addresses)
    Where should my route map be assigned? I have everything working with
    the route map on atm1/0.2 from Internet next hop pix outside intf, but
    I am not sure this is correct. I saw a similar Cisco doc that has the
    route map on the ethernet Intf of the router.

    >From Branch

    --------- Router
    atm 1/0.1 atm1/0.2 PBR next-hop
    | | PIX outside any IP
    | |
    | | fa0/1
    | |
    | Pix
    fa0/0 | |
    -----------------------
    LAN
     
    , Apr 23, 2005
    #1
    1. Advertisements

  2. Tony Clifton Guest

    I don't quite understand what you are trying to achieve, but pbr is always
    applied on the interface on which packets are received, not the outgoing
    interface, so your configuration should be ok.

    /TC

    <> skrev i meddelandet
    news:...
    >I need to route traffic to the Internet through a PIX and send traffic
    > to my branch through a pvc bypassing the pix. (RFC1918 addresses)
    > Where should my route map be assigned? I have everything working with
    > the route map on atm1/0.2 from Internet next hop pix outside intf, but
    > I am not sure this is correct. I saw a similar Cisco doc that has the
    > route map on the ethernet Intf of the router.
    >
    >>From Branch

    > --------- Router
    > atm 1/0.1 atm1/0.2 PBR next-hop
    > | | PIX outside any IP
    > | |
    > | | fa0/1
    > | |
    > | Pix
    > fa0/0 | |
    > -----------------------
    > LAN
    >
     
    Tony Clifton, Apr 23, 2005
    #2
    1. Advertisements

  3. Guest

    Re: PBR. Router and PIX Same LAN

    Thanks. I just want to be sure incoming internet traffic does not
    bypass the pix. It should not because my routing table shows a
    connected route to the pix fa0/1 network. I did not think I would need
    PBR, but I could not get things going without it.

    Traffic from the branch building will be coming in on a non-routable
    ip. I would expect the pix would drop it if it hit the outside intf.
    That is why I have the two gateway devices on one LAN. Is there a
    better way to do this? Connect the other pix interface to the branch's
    on fa0/0?
     
    , Apr 23, 2005
    #3
  4. Tony Clifton Guest

    Re: PBR. Router and PIX Same LAN

    Ok I think I understand the scenario now.

    In this case I would configure separate routing instances with VRFs on the
    "outside" router.

    For example you can create two instances, one for the branch office and
    another for the internet. Each VRF has its own IP routing table, CEF table,
    and two interfaces that use this forwarding table. No information can leak
    between interfaces in different VRFs.

    Think of it as a kind of VPN, or MPLS "light".

    Regards,

    /TC

    <> skrev i meddelandet
    news:...
    > Thanks. I just want to be sure incoming internet traffic does not
    > bypass the pix. It should not because my routing table shows a
    > connected route to the pix fa0/1 network. I did not think I would need
    > PBR, but I could not get things going without it.
    >
    > Traffic from the branch building will be coming in on a non-routable
    > ip. I would expect the pix would drop it if it hit the outside intf.
    > That is why I have the two gateway devices on one LAN. Is there a
    > better way to do this? Connect the other pix interface to the branch's
    > on fa0/0?
    >
     
    Tony Clifton, Apr 23, 2005
    #4
  5. In article <>,
    <> wrote:
    :I need to route traffic to the Internet through a PIX and send traffic
    :to my branch through a pvc bypassing the pix. (RFC1918 addresses)

    Why not have the traffic go through the PIX, but use

    nat (inside) 0 access-list ACLNAME

    That disables NAT for traffic that matches the ACL (note: the ACL
    is read with the inside traffic being in the first field and the
    outside being in the second field; so for traffic going out,
    it is read in the normal source-then-dest sense, and for traffic
    coming in it is read in "in reverse")

    --
    Would you buy a used bit from this man??
     
    Walter Roberson, Apr 23, 2005
    #5
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gianlu
    Replies:
    0
    Views:
    775
    Gianlu
    Jul 2, 2004
  2. Gianlu
    Replies:
    2
    Views:
    814
    Gianlu
    Jul 5, 2004
  3. jspr

    Lan to Lan on same subnet

    jspr, Apr 11, 2005, in forum: Cisco
    Replies:
    4
    Views:
    8,076
  4. Marc Schwartz
    Replies:
    0
    Views:
    595
    Marc Schwartz
    Jun 18, 2005
  5. Stephen M
    Replies:
    1
    Views:
    843
    mcaissie
    Nov 14, 2006
Loading...

Share This Page