3600 - Routing question

[toetag]

current setup:
network - 3600 - pix1

Hopeful setup:
network - 3600 - pix1
- pix2

Where pix2 is going to be a dedicated circuit for one server. Is there a way in the 3600 to say "If traffic seen from Server1 to an outside address, route through pix2"?

If that isn't clear enough, let me know. it's the easiest way i can picture it in my head at the moment.

Thank you for any advice in advance.



"The only desert to an Irishman is an empty glass".

 

[KiscoKid]

Yes this is quite straightforward.

All you need to do is define a default static route and point it at PIX 1 (which you are probably already doing).

Then you define some Policy Based Routing (PBR) such that anything from the server's source IP address to the appropriate outside addresses(es) is routed instead to PIX 2.

The following link explains how to configure PBR

http://www.cisco.com/en/US/products...figuration_guide_chapter09186a00800c75d2.html

I'd anticipate your config would look something like the following:

interface ethernet 0/0
ip policy route-map servertopix2

access-list 100 permit ip host a.a.a.a b.b.b.b
access-list 100 permit ip host a.a.a.a c.c.c.c

route-map Texas permit 10
match ip address 100
set ip next-hop d.d.d.d



where a.a.a.a is the server IP address you want to route via PIX2, b.b.b.b and c.c.c.c. are 2 remote destinations reachable via PIX2 (add more lines to ACL 100 for each remote destination required) and d.d.d.d is the LAN address of PIX2.

Hope this helps

 

[KiscoKid]

Sorry that example config should be:

interface ethernet 0/0
ip policy route-map servertopix2

access-list 100 permit ip host a.a.a.a b.b.b.b
access-list 100 permit ip host a.a.a.a c.c.c.c

route-map servertopix2 permit 10
match ip address 100
set ip next-hop d.d.d.d

 

[NetworkGhost]

You probably want to do Policy based routing with match addresses.

Here is a good link on how to do it.

http://www.cisco.com/univercd/cc/td...ios120/12cgcr/qos_c/qcpart1/qcpolicy.htm#4766

 

[NetworkGhost]

Oops didnt see the KiscoKid answered already

 

[toetag]

Thank you KiscoKid (and NetworkGhost). That is definitely what i needed to know. However, i'm having a problem with the access-list. When i set the access list and try to get it set for just one server, i wind up seeing all traffic go out Pix2, even packets meant for internal servers.

Please excuse our IP scheme, i know it's wrong, but i adopted this network in this condition. I've already devised and had approved an IP scheme change for February (after our year end closings are finalized).

I'm using the following configuration:

interface FastEthernet 3/0
ip policy route-map ServerToPix2

access-list 100 permit ip host 130.0.5.4 0.0.0.0

route-map ServerToPix2 permit 10
match ip address 100
set ip next-hop 130.0.4.9

No matter how i change the access-list, i can't get it to just route 130.0.5.4 internet communications.

access-list 100 permit ip 130.0.5.4 0.0.0.0 0.0.0.0 0.0.0.0
access-list 100 permit ip 130.0.5.4 255.255.252.0 0.0.0.0 0.0.0.0

and a whole variety of possibles. (255.255.252.0 is our internal subnet)

The good news is that i actually understand the reasons for the rest of the snippets that you provided.

Any additional learning you can provide me would be as always, greatly appreciated.





"The only desert to an Irishman is an empty glass".

 

[NetworkGhost]

can you do a sh run?

 

[toetag]

i assume you mean a "show running". I can't at the moment as i'm going to have to do this after hours now. With the 10 minutes of traffic issues, i had quite a few users readying the lynch mob for me. So i removed all new entries and returned the router to the state it was in prior to my attempts at PBR.

When i ran it yesterday, the output was similar to what i have above. The only change was in the access-list host / destination portions.

"The only desert to an Irishman is an empty glass".

 

[NetworkGhost]

For you ACL try:

access-list 1 permit ip 130.0.5.4

 

[NetworkGhost]

also make sure your policy is applied to the arriving interface