Multi-Internet Connection Configuration

[toetag]

We have recently added a new interface to our pix. We will be running a new internet circuit out of the same pix. I am trying to figure a way to say "All server IP's need to go out the old interface and All Users need to go out the new interface"

currently in our route statements, we have a "catch all" rule that's pushing everyone out the old circuit. How would i go about setting up the "rule" for the connection based routing?

Any additional information that i might need to provide?

Thank you in advance for any suggestions.

"The only desert to an Irishman is an empty glass".

 

[Supergrrover]

Are the suervers on a different subnet?
If so just make a route statement for that subnet with the next hop the gateway for the specific ISP's connection.
If they are not on a different subnet, can you make a subset of the subnet that will encompass all the servers (splitting a /24 into a /25 or /26) and using that smaller range for your route statement.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[toetag]

Supergrrover,

thank you for responding. I was just re-reading the "route" command in the manual. i was misunderstanding the "ip address" and "netmask" areas. i was thinking this was the far end, not the near end addresses to route.

To answer your question, they are all in one subnet. However, we have a range for servers and a range for everyone else. So if i can get the masks correct, i could probably have this done today.

I'm just not an expert at masking

"The only desert to an Irishman is an empty glass".

 

[Supergrrover]

Post your subnets and the range for your server. See if we can get it sorted out.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[toetag]

you will laugh I adopted this network with the current scheme, but i've already begun to migrate us to a 10 scheme.

130.0.4.0: servers
130.0.5.0 - 130.0.7.0: users

I think this is what i need:

route (outside) 130.0.4.0 255.255.255.0 <ISP1 address> 1
route (outside2) 130.0.5.0 255.255.255.0 <ISP2 address> 1
route (outside2) 130.0.6.0 255.255.255.0 <ISP2 address> 1
route (outside2) 130.0.7.0 255.255.255.0 <ISP2 address> 1

"The only desert to an Irishman is an empty glass".

 

[Supergrrover]

Yep that should work.
Those are considered seperate networks as long as those are the correct masks (255.255.255.0 is a /24.)



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[lgarner]

The Pix route statemet configures routing based on destination addresses, so your configuration would send traffic destined *to* 130.0.4.0/24 to ISP1. From your question, it sounds like you want to route all traffic *from* 130.0.4.0/24 to ISP1, and so forth.

The only way I know to do this is with policy-based routing, which the Pix 6.x series doesn't support. I haven't seen version 7 so I can't comment on that.

 

[Supergrrover]

I just re-read this. lgarner is right. (Sorry, bad week to quit coffee.)

If you have your servers on a seperate interface(or subinterface and VLANs) then you can do it as before. Just add the route statements for that interface for 0.0.0.0 to go to Outside#2 and have the routes for each of the user and server networks point to each others interface.


Brent
Systems Engineer / Consultant
CCNP, CCSP