PIX 501 - 2 WAN Connections, how to route certain IPs to the 2nd WAN

Discussion in 'Cisco' started by Casper, Aug 17, 2007.

  1. Casper

    Casper Guest

    Hello all,
    I have 2 WAN Connections.
    1=Broadband connection with static IP (
    2=T-1 connection with static IP (
    I want all traffic to default to the Broadband connection
    ( but I need a few IPs to route over to the T-1. The IPs I
    need to route to the T-1 are...

    How & where to I enter this information? I only have the GUI interface
    to work with.
    In the PDM I have the following setup and it is not working...
    Under the Configuration - Host/Networks tab I've added an Outside
    Interface named Blah with the following specs.

    Basic Info
    IP =
    Mask =
    Int = outside
    Name = Blah

    Checked Define Static Route
    Gateway IP =
    Metric = 2

    I have the same setup for the other 2 IPs as well(with different
    names). I've applied the command and saved the router config and it
    still doesn't route.
    FYI, I changed the Interface to also be Inside just in case and it did
    not change any of the final results.

    Thank you in advance for your assistance!!!!!

    Here is my config...
    FYI, I've replaced passwords with zzzzz & our outside Interface with

    Result of firewall command: "sh run"

    : Saved
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password zzzzz encrypted
    passwd zzzzz encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    name blah
    access-list inside_outbound_nat0_acl permit ip any
    access-list inside_outbound_nat0_acl permit ip any
    access-list outside_access_in permit tcp any interface outside eq
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside x.x.x.x
    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool
    pdm location inside
    pdm location outside
    pdm location outside
    pdm location outside
    pdm location outside
    pdm location outside
    pdm location outside
    pdm location inside
    pdm location inside
    pdm location outside
    pdm location outside
    pdm location blah outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0 0
    static (inside,outside) tcp interface 3389 3389 netmask 0 0
    access-group outside_access_in in interface outside
    route outside 1
    route outside Meditech 2
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http outside
    http outside
    http outside
    http inside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    isakmp enable outside
    isakmp enable inside
    telnet inside
    telnet inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
    vpdn group PPTP-VPDN-GROUP client configuration address local vpnpool
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    vpdn username administrator password *********
    vpdn username helpdesk password *********
    vpdn username mblackburn password *********
    vpdn username bseiss password *********
    vpdn username rviola password *********
    vpdn username moc2 password *********
    vpdn enable outside
    vpdn enable inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    : end
    Casper, Aug 17, 2007
    1. Advertisements

  2. PIX firewall does not allow to do "Policy Based Routing" (based on the
    source IP address. You can specify as many static routes as you want,
    however PIX makes a routing decision based on DESTINATION only. Also, there
    is only one Default Gateway may be configured in PIX.

    Good luck,

    CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, etc.
    CCIE R&S (in progress), CCIE Voice (in progress)
    headsetadapter.com, Aug 17, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.