PIX 525, I think I need Policy-based routing??

Discussion in 'Cisco' started by Arthur Brain, Apr 24, 2007.

  1. Arthur Brain

    Arthur Brain Guest

    the picture:
    PIX has one External interface to the ISP

    PIX has one Inside interface to the network

    PIX has 3rd interface direct to the network core


    What I've been asked to do:
    (Don't blame me for the current setup, I would have set the ISP
    connection up as a trunk with VPN on a different VLAN if I had been
    involved in building this).

    VPN users coming in via the ISP need to be routed to the 3rd
    interface, so that their internet-connection attempts can be routed
    via the web-filtering thingie, before coming back to the PIX on the
    Inside interface.
    At this stage, traffic that is Source:VPN_Subnets/Dest:Internet BUT
    coming in on Inside interface, needs to just use the normal default
    route.


    I haven't played with PIXs much, and I would never set this up this
    way in the first place (had I been asked) but apparently they are no
    longer talking to their ISP, or willing to change anything else, so
    I'm stuck crossing my fingers that PBR can do this.

    Can it?

    If so, can you give me some rough (or even detailed!) hints?
     
    Arthur Brain, Apr 24, 2007
    #1
    1. Advertising

  2. In article <>,
    Arthur Brain <> wrote:
    >PIX has one External interface to the ISP
    >PIX has one Inside interface to the network
    >PIX has 3rd interface direct to the network core


    >What I've been asked to do:


    >VPN users coming in via the ISP need to be routed to the 3rd
    >interface, so that their internet-connection attempts can be routed
    >via the web-filtering thingie, before coming back to the PIX on the
    >Inside interface.
    >At this stage, traffic that is Source:VPN_Subnets/Dest:Internet BUT
    >coming in on Inside interface, needs to just use the normal default
    >route.


    You can't do Policy Based Routing on a PIX, not even in PIX 7.x.

    What you -might- be able to do with PIX 7.x is use "security
    contexts". I haven't looked at those, so I don't know what the
    limitations are. I wouldn't be surprised, though, if any one
    interface could only be part of one security context: if that were
    the case then you'd probably need to use at least one VLAN interface...
    but likely that VLAN would end up being on the outside interface,
    which would Not Be Good for your situation.
     
    Walter Roberson, Apr 24, 2007
    #2
    1. Advertising

  3. Arthur Brain wrote:

    >VPN users coming in via the ISP need to be routed to the 3rd
    >interface, so that their internet-connection attempts can be routed
    >via the web-filtering thingie, before coming back to the PIX on the
    >Inside interface.


    Why not forcing them through a proxy, having them inwards and back outwards
    on the inside interface?

    Regards

    fw
     
    Frank Winkler, Apr 24, 2007
    #3
  4. Arthur Brain

    Brian V Guest

    "Walter Roberson" <> wrote in message
    news:u7hXh.121744$6m4.107665@pd7urf1no...
    > In article <>,
    > Arthur Brain <> wrote:
    >>PIX has one External interface to the ISP
    >>PIX has one Inside interface to the network
    >>PIX has 3rd interface direct to the network core

    >
    >>What I've been asked to do:

    >
    >>VPN users coming in via the ISP need to be routed to the 3rd
    >>interface, so that their internet-connection attempts can be routed
    >>via the web-filtering thingie, before coming back to the PIX on the
    >>Inside interface.
    >>At this stage, traffic that is Source:VPN_Subnets/Dest:Internet BUT
    >>coming in on Inside interface, needs to just use the normal default
    >>route.

    >
    > You can't do Policy Based Routing on a PIX, not even in PIX 7.x.
    >
    > What you -might- be able to do with PIX 7.x is use "security
    > contexts". I haven't looked at those, so I don't know what the
    > limitations are. I wouldn't be surprised, though, if any one
    > interface could only be part of one security context: if that were
    > the case then you'd probably need to use at least one VLAN interface...
    > but likely that VLAN would end up being on the outside interface,
    > which would Not Be Good for your situation.


    Some of the limitations of multi context are:
    1, No VPN.
    2, No OSPF (or RIP). Statics only
    3, No Multicast.
    4, No ISP redundancy configuration. This I cannot find documented anywhere
    but spent days with TAC on it, they couldn't get it to work either. There is
    still a case open on this, going on 4 months now....develpors are involved
    at this point.

    You can have the same interface on multiple contexts, IE a single internal
    interface X.X.X.X used, it's refered to as a shared interrface. When using a
    shared interface it relies on the static NATs as the classifier to tell the
    ASA/Pix/FWSM which context to deleiver the traffic thru. When using a shared
    interface you cannot use NAT 0 lists because of the way the classifier
    works.

    Here's a decent link on multiple context on 7.2
    http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f9b.html
     
    Brian V, Apr 24, 2007
    #4
  5. Arthur Brain

    Arthur Brain Guest

    Frank Winkler wrote:
    > Arthur Brain wrote:
    >
    > >VPN users coming in via the ISP need to be routed to the 3rd
    > >interface, so that their internet-connection attempts can be routed
    > >via the web-filtering thingie, before coming back to the PIX on the
    > >Inside interface.

    >
    > Why not forcing them through a proxy, having them inwards and back outwards
    > on the inside interface?


    Presumably, when I present them with the solution for doing it on the
    PIX, which looks like it will work by enabling security contexts,
    segregating traffic by destination address (only the VPN-source
    traffic will have external addresses on it AND come through the
    external PIX interface), and using up an extra interface to route that
    traffic inside of their web-filtering thingie, they will decide there
    is an easier way of doing it.
     
    Arthur Brain, Apr 27, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CHANGE USERNAME TO westes
    Replies:
    6
    Views:
    1,115
    CHANGE USERNAME TO westes
    Dec 17, 2003
  2. prosthetic head
    Replies:
    3
    Views:
    3,595
    Hansang Bae
    Mar 5, 2004
  3. Ivana

    policy based routing problem

    Ivana, Mar 22, 2005, in forum: Cisco
    Replies:
    11
    Views:
    4,147
    Ivan OstreŇ°
    Mar 24, 2005
  4. Cen
    Replies:
    1
    Views:
    2,256
    Christoph Gartmann
    Oct 24, 2005
  5. myselfimran

    PIX 515 Firewall Policy based Routing?

    myselfimran, Jul 3, 2007, in forum: Hardware
    Replies:
    0
    Views:
    1,109
    myselfimran
    Jul 3, 2007
Loading...

Share This Page