PIX 501 - 2 WAN Connections, how to route certain IPs to the 2nd WAN

Discussion in 'Cisco' started by Casper, Aug 17, 2007.

  1. Casper

    Casper Guest

    Hello all,
    I have 2 WAN Connections.
    1=Broadband connection with static IP (172.23.14.2)
    2=T-1 connection with static IP (172.23.14.1)
    I want all traffic to default to the Broadband connection
    (172.23.14.2) but I need a few IPs to route over to the T-1. The IPs I
    need to route to the T-1 are...
    128.1.0.3
    172.16.0.154
    192.168.192.37

    How & where to I enter this information? I only have the GUI interface
    to work with.
    In the PDM I have the following setup and it is not working...
    Under the Configuration - Host/Networks tab I've added an Outside
    Interface named Blah with the following specs.

    Basic Info
    IP = 128.1.0.3
    Mask = 255.255.255.255
    Int = outside
    Name = Blah

    Routing
    Checked Define Static Route
    Gateway IP = 172.23.14.1
    Metric = 2

    I have the same setup for the other 2 IPs as well(with different
    names). I've applied the command and saved the router config and it
    still doesn't route.
    FYI, I changed the Interface to also be Inside just in case and it did
    not change any of the final results.

    Thank you in advance for your assistance!!!!!

    Here is my config...
    FYI, I've replaced passwords with zzzzz & our outside Interface with
    x.x.x.x

    Result of firewall command: "sh run"

    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password zzzzz encrypted
    passwd zzzzz encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 128.1.0.3 blah
    access-list inside_outbound_nat0_acl permit ip any 172.23.14.128
    255.255.255.192
    access-list inside_outbound_nat0_acl permit ip any 172.23.14.160
    255.255.255.224
    access-list outside_access_in permit tcp any interface outside eq
    3389
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside x.x.x.x 255.255.255.252
    ip address inside 172.23.14.2 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 172.23.14.151-172.23.14.160
    pdm location 172.23.14.0 255.255.255.0 inside
    pdm location 65.165.202.144 255.255.255.248 outside
    pdm location 204.118.126.3 255.255.255.255 outside
    pdm location 204.181.35.98 255.255.255.255 outside
    pdm location 204.249.224.128 255.255.255.192 outside
    pdm location 24.106.195.64 255.255.255.192 outside
    pdm location 24.106.200.64 255.255.255.248 outside
    pdm location 192.168.1.0 255.255.255.0 inside
    pdm location 172.23.14.5 255.255.255.255 inside
    pdm location 172.23.14.160 255.255.255.224 outside
    pdm location 172.23.14.128 255.255.255.192 outside
    pdm location blah 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 3389 172.23.14.5 3389 netmask
    255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 24.38.95.117 1
    route outside Meditech 255.255.255.255 172.23.14.1 2
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 204.181.35.98 255.255.255.255 outside
    http 24.106.195.64 255.255.255.192 outside
    http 24.106.200.64 255.255.255.248 outside
    http 192.168.1.0 255.255.255.0 inside
    http 172.23.14.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    isakmp enable outside
    isakmp enable inside
    telnet 172.23.14.0 255.255.255.0 inside
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
    vpdn group PPTP-VPDN-GROUP client configuration address local vpnpool
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    vpdn username administrator password *********
    vpdn username helpdesk password *********
    vpdn username mblackburn password *********
    vpdn username bseiss password *********
    vpdn username rviola password *********
    vpdn username moc2 password *********
    vpdn enable outside
    vpdn enable inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:zzzzz
    : end
     
    Casper, Aug 17, 2007
    #1
    1. Advertising

  2. PIX firewall does not allow to do "Policy Based Routing" (based on the
    source IP address. You can specify as many static routes as you want,
    however PIX makes a routing decision based on DESTINATION only. Also, there
    is only one Default Gateway may be configured in PIX.

    Good luck,

    Mike
    CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, etc.
    CCIE R&S (in progress), CCIE Voice (in progress)
    ------
    Headset Adapters for Cisco IP Phones
    www.ciscoheadsetadapter.com
    www.headsetadapter.com

    "Casper" <> wrote in message
    news:...
    > Hello all,
    > I have 2 WAN Connections.
    > 1=Broadband connection with static IP (172.23.14.2)
    > 2=T-1 connection with static IP (172.23.14.1)
    > I want all traffic to default to the Broadband connection
    > (172.23.14.2) but I need a few IPs to route over to the T-1. The IPs I
    > need to route to the T-1 are...
    > 128.1.0.3
    > 172.16.0.154
    > 192.168.192.37
    >
    > How & where to I enter this information? I only have the GUI interface
    > to work with.
    > In the PDM I have the following setup and it is not working...
    > Under the Configuration - Host/Networks tab I've added an Outside
    > Interface named Blah with the following specs.
    >
    > Basic Info
    > IP = 128.1.0.3
    > Mask = 255.255.255.255
    > Int = outside
    > Name = Blah
    >
    > Routing
    > Checked Define Static Route
    > Gateway IP = 172.23.14.1
    > Metric = 2
    >
    > I have the same setup for the other 2 IPs as well(with different
    > names). I've applied the command and saved the router config and it
    > still doesn't route.
    > FYI, I changed the Interface to also be Inside just in case and it did
    > not change any of the final results.
    >
    > Thank you in advance for your assistance!!!!!
    >
    > Here is my config...
    > FYI, I've replaced passwords with zzzzz & our outside Interface with
    > x.x.x.x
    >
    > Result of firewall command: "sh run"
    >
    > : Saved
    > :
    > PIX Version 6.3(5)
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password zzzzz encrypted
    > passwd zzzzz encrypted
    > hostname pixfirewall
    > domain-name ciscopix.com
    > clock timezone EST -5
    > clock summer-time EDT recurring
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > name 128.1.0.3 blah
    > access-list inside_outbound_nat0_acl permit ip any 172.23.14.128
    > 255.255.255.192
    > access-list inside_outbound_nat0_acl permit ip any 172.23.14.160
    > 255.255.255.224
    > access-list outside_access_in permit tcp any interface outside eq
    > 3389
    > pager lines 24
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside x.x.x.x 255.255.255.252
    > ip address inside 172.23.14.2 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool vpnpool 172.23.14.151-172.23.14.160
    > pdm location 172.23.14.0 255.255.255.0 inside
    > pdm location 65.165.202.144 255.255.255.248 outside
    > pdm location 204.118.126.3 255.255.255.255 outside
    > pdm location 204.181.35.98 255.255.255.255 outside
    > pdm location 204.249.224.128 255.255.255.192 outside
    > pdm location 24.106.195.64 255.255.255.192 outside
    > pdm location 24.106.200.64 255.255.255.248 outside
    > pdm location 192.168.1.0 255.255.255.0 inside
    > pdm location 172.23.14.5 255.255.255.255 inside
    > pdm location 172.23.14.160 255.255.255.224 outside
    > pdm location 172.23.14.128 255.255.255.192 outside
    > pdm location blah 255.255.255.255 outside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list inside_outbound_nat0_acl
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface 3389 172.23.14.5 3389 netmask
    > 255.255.255.255 0 0
    > access-group outside_access_in in interface outside
    > route outside 0.0.0.0 0.0.0.0 24.38.95.117 1
    > route outside Meditech 255.255.255.255 172.23.14.1 2
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server LOCAL protocol local
    > http server enable
    > http 204.181.35.98 255.255.255.255 outside
    > http 24.106.195.64 255.255.255.192 outside
    > http 24.106.200.64 255.255.255.248 outside
    > http 192.168.1.0 255.255.255.0 inside
    > http 172.23.14.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    > isakmp enable outside
    > isakmp enable inside
    > telnet 172.23.14.0 255.255.255.0 inside
    > telnet 192.168.1.0 255.255.255.0 inside
    > telnet timeout 5
    > ssh timeout 5
    > console timeout 0
    > vpdn group PPTP-VPDN-GROUP accept dialin pptp
    > vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    > vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
    > vpdn group PPTP-VPDN-GROUP client configuration address local vpnpool
    > vpdn group PPTP-VPDN-GROUP pptp echo 60
    > vpdn group PPTP-VPDN-GROUP client authentication local
    > vpdn username administrator password *********
    > vpdn username helpdesk password *********
    > vpdn username mblackburn password *********
    > vpdn username bseiss password *********
    > vpdn username rviola password *********
    > vpdn username moc2 password *********
    > vpdn enable outside
    > vpdn enable inside
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > terminal width 80
    > Cryptochecksum:zzzzz
    > : end
    >
     
    headsetadapter.com, Aug 17, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Warren Tochor
    Replies:
    9
    Views:
    4,090
    Warren Tochor
    Feb 10, 2004
  2. Jordan Peterson
    Replies:
    1
    Views:
    634
    mcaissie
    Sep 17, 2004
  3. Replies:
    4
    Views:
    471
  4. Replies:
    9
    Views:
    5,627
    Scott Perry
    Aug 7, 2008
  5. Martijn Lievaart

    HSRP: virtual IPs without real IPs?

    Martijn Lievaart, Feb 9, 2012, in forum: Cisco
    Replies:
    4
    Views:
    1,182
    Martijn Lievaart
    Feb 15, 2012
Loading...

Share This Page