Walter Roberson...HELP!

Discussion in 'Cisco' started by BitBucket, Oct 21, 2003.

  1. BitBucket

    BitBucket Guest

    I need help. We have a T1 and a DSL circuit coming into our PIX 515e.
    There is NO router in front of the PIX. The connections come in via
    ethernet from both of the isp's. The isp's are seperate and are not in a
    contiguous ip address space. Inside we have a class A network (10.0.0.0)
    that is subnetted into 5 class B networks (10.1.0.0, 10.2.0.0, 10.3.0.0,
    10.4.0.0, 10.5.0.0). We would like to send outbound traffic from 10.1.0.0
    and 10.2.0.0 out the DSL circuit and the outbound traffic from 10.3.0.0,
    10.4.0.0, and 10.5.0.0 out the T1. Is this possible to do without having a
    head end router? I have had 2 CCIE's tell me it is but have no further
    infomration from them as to how it is done.

    We can route based on destination IP or network all day. Man would it be
    cool if we could route based on source network. That should be an
    addition to version 6.3(4)!

    Thanks!
    BitBucket, Oct 21, 2003
    #1
    1. Advertising

  2. BitBucket

    Ivan Ostres Guest

    "BitBucket" <> wrote in message
    news:bn3uj6$154f$...
    > I need help. We have a T1 and a DSL circuit coming into our PIX 515e.
    > There is NO router in front of the PIX. The connections come in via
    > ethernet from both of the isp's. The isp's are seperate and are not in a
    > contiguous ip address space. Inside we have a class A network (10.0.0.0)
    > that is subnetted into 5 class B networks (10.1.0.0, 10.2.0.0, 10.3.0.0,
    > 10.4.0.0, 10.5.0.0). We would like to send outbound traffic from 10.1.0.0
    > and 10.2.0.0 out the DSL circuit and the outbound traffic from 10.3.0.0,
    > 10.4.0.0, and 10.5.0.0 out the T1. Is this possible to do without having

    a
    > head end router? I have had 2 CCIE's tell me it is but have no further
    > infomration from them as to how it is done.
    >
    > We can route based on destination IP or network all day. Man would it be
    > cool if we could route based on source network. That should be an
    > addition to version 6.3(4)!
    >


    I think that it would be "Policy NAT"

    Ivan
    Ivan Ostres, Oct 22, 2003
    #2
    1. Advertising

  3. BitBucket

    Rik Bain Guest

    On Wed, 22 Oct 2003 21:16:39 +0600, Mike Gallagher wrote:

    > Policy NAT will determine your NAT address based on
    > source/destination/port (whatever you specify in the ACL), but that will
    > not determine how you are routed. For what you want to do, you'll need
    > two NAT pools, but not necessarily policy NAT because you don't need to
    > specify a different NAT address based on the destination, just the
    > source.
    >
    > To route based on destination you need policy routing. In 6.3 the PIX
    > introduced route maps. The documentation ties this with OSPF, but it
    > still may work without it (never tried). Here is a link to the doc.
    >
    > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1017196
    >
    > You'll most likely have something like this (in addition to your NAT
    > groups).
    >
    > access-list dsl permit ip 10.1.0.0 255.255.0.0 any access-list dsl
    > permit ip 10.2.0.0 255.255.0.0 any access-list t1 permit ip 10.3.0.0
    > 255.255.0.0 any access-list t1 permit ip 10.4.0.0 255.255.0.0 any
    > access-list t1 permit ip 10.5.0.0 255.255.0.0 any
    >
    > route-map outbound permit 10
    > match ip address dsl
    > set ip next-hop <ip address of dsl router> route-map outbound permit 20
    > match ip address t1
    > set ip next-hop <ip address of T1 router>
    >
    > HTH - Mike



    NAH, route-maps on pix are not for PBR.....one day.
    Rik Bain, Oct 22, 2003
    #3
  4. Policy NAT will determine your NAT address based on
    source/destination/port (whatever you specify in the ACL), but that
    will not determine how you are routed. For what you want to do,
    you'll need two NAT pools, but not necessarily policy NAT because you
    don't need to specify a different NAT address based on the
    destination, just the source.

    To route based on destination you need policy routing. In 6.3 the PIX
    introduced route maps. The documentation ties this with OSPF, but it
    still may work without it (never tried). Here is a link to the doc.

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1017196

    You'll most likely have something like this (in addition to your NAT
    groups).

    access-list dsl permit ip 10.1.0.0 255.255.0.0 any
    access-list dsl permit ip 10.2.0.0 255.255.0.0 any
    access-list t1 permit ip 10.3.0.0 255.255.0.0 any
    access-list t1 permit ip 10.4.0.0 255.255.0.0 any
    access-list t1 permit ip 10.5.0.0 255.255.0.0 any

    route-map outbound permit 10
    match ip address dsl
    set ip next-hop <ip address of dsl router>
    route-map outbound permit 20
    match ip address t1
    set ip next-hop <ip address of T1 router>

    HTH - Mike


    "Ivan Ostres" <> wrote in message news:<bn5e7m$tafm6$-berlin.de>...
    > "BitBucket" <> wrote in message
    > news:bn3uj6$154f$...
    > > I need help. We have a T1 and a DSL circuit coming into our PIX 515e.
    > > There is NO router in front of the PIX. The connections come in via
    > > ethernet from both of the isp's. The isp's are seperate and are not in a
    > > contiguous ip address space. Inside we have a class A network (10.0.0.0)
    > > that is subnetted into 5 class B networks (10.1.0.0, 10.2.0.0, 10.3.0.0,
    > > 10.4.0.0, 10.5.0.0). We would like to send outbound traffic from 10.1.0.0
    > > and 10.2.0.0 out the DSL circuit and the outbound traffic from 10.3.0.0,
    > > 10.4.0.0, and 10.5.0.0 out the T1. Is this possible to do without having

    > a
    > > head end router? I have had 2 CCIE's tell me it is but have no further
    > > infomration from them as to how it is done.
    > >
    > > We can route based on destination IP or network all day. Man would it be
    > > cool if we could route based on source network. That should be an
    > > addition to version 6.3(4)!
    > >

    >
    > I think that it would be "Policy NAT"
    >
    > Ivan
    Mike Gallagher, Oct 22, 2003
    #4
  5. BitBucket

    Ivan Ostres Guest

    "Mike Gallagher" <> wrote in message
    news:...
    > Policy NAT will determine your NAT address based on
    > source/destination/port (whatever you specify in the ACL), but that
    > will not determine how you are routed. For what you want to do,
    > you'll need two NAT pools, but not necessarily policy NAT because you
    > don't need to specify a different NAT address based on the
    > destination, just the source.
    >
    > To route based on destination you need policy routing. In 6.3 the PIX
    > introduced route maps. The documentation ties this with OSPF, but it
    > still may work without it (never tried). Here is a link to the doc.
    >


    They tie route maps with ospf because they are there AFAIK, just for OSPF.
    Policy routing doesn't work.

    Ivan
    Ivan Ostres, Oct 23, 2003
    #5
  6. Yeah, I just confirmed in the lab. route-maps on the PIX are only for
    route redistribution. It was worth a shot though. So basically, I
    don't think there is a way to do what you are looking for without
    another device doing the PBR (or some other mechanism) for you.

    If there is, I'd love to know about it.

    Mike
    Rik Bain <> wrote in message news:<>...
    > On Wed, 22 Oct 2003 21:16:39 +0600, Mike Gallagher wrote:
    >
    > > Policy NAT will determine your NAT address based on
    > > source/destination/port (whatever you specify in the ACL), but that will
    > > not determine how you are routed. For what you want to do, you'll need
    > > two NAT pools, but not necessarily policy NAT because you don't need to
    > > specify a different NAT address based on the destination, just the
    > > source.
    > >
    > > To route based on destination you need policy routing. In 6.3 the PIX
    > > introduced route maps. The documentation ties this with OSPF, but it
    > > still may work without it (never tried). Here is a link to the doc.
    > >
    > > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1017196
    > >
    > > You'll most likely have something like this (in addition to your NAT
    > > groups).
    > >
    > > access-list dsl permit ip 10.1.0.0 255.255.0.0 any access-list dsl
    > > permit ip 10.2.0.0 255.255.0.0 any access-list t1 permit ip 10.3.0.0
    > > 255.255.0.0 any access-list t1 permit ip 10.4.0.0 255.255.0.0 any
    > > access-list t1 permit ip 10.5.0.0 255.255.0.0 any
    > >
    > > route-map outbound permit 10
    > > match ip address dsl
    > > set ip next-hop <ip address of dsl router> route-map outbound permit 20
    > > match ip address t1
    > > set ip next-hop <ip address of T1 router>
    > >
    > > HTH - Mike

    >
    >
    > NAH, route-maps on pix are not for PBR.....one day.
    Mike Gallagher, Oct 23, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rob

    Attn: Walter

    Rob, Oct 19, 2004, in forum: Cisco
    Replies:
    0
    Views:
    479
  2. Jem Berkes

    Attn: Walter Roberson

    Jem Berkes, Dec 12, 2004, in forum: Cisco
    Replies:
    1
    Views:
    448
    Walter Roberson
    Dec 12, 2004
  3. Ivan Ostreš
    Replies:
    3
    Views:
    422
    Hansang Bae
    Mar 10, 2005
  4. Cisco Guy
    Replies:
    2
    Views:
    811
    Cisco Guy
    Jul 23, 2005
  5. HAIFA-ZAKARIA
    Replies:
    0
    Views:
    398
    HAIFA-ZAKARIA
    May 29, 2007
Loading...

Share This Page