Routes in PIX - Prioratization....Please HELP 1

[PIXFirewall]

I am using Cisco PIX version 6.2(2). I have configured six DMZs on the PIX. Out of these 2 DMZs are configured to the Internet - one through DSL and another through a Leased circuits.

I want to allow (say) 5 users to use the Internet through the DSL and another 5 users to use the Net through Leased Line, all of them simultnaeously.

route outside 0.0.0.0 0.0.0.0 62.4.1.1
route dmz 0.0.0.0 0.0.0.0 61.3.5.7

My problems is that out of the above routes, whichever I give a metric 1 all the above 10 users go through that route.

I had tried to give NAT to the two set of users through different interfaces as follows:

global (outside) 1 62.4.1.2
global (dmz) 2 interface

But, both try to use the first route (if that has metric 1) to go to the net as, I am not able to control the route based on origination. The current route command can base route on destination.

What is a solution or work around ?
Also, in case the either the DSL or Leased circuit goes down, I want all the ten users to go throughthe interface which is up.

Please HELP.

 

[routerman]

The problem you have is that the PIX can only have one default route, thats just down to the way normal routing works.

You need PIX 6.3 which is due out this month. This has support for policy routing, which can make a path selection decision based on the source IP address.

I have exactly the same requirement and am waiting for this release.

I'm not sure if your second requirement would be supported, the new PIX OS includes OSPF routing support, so possibly you may be able to make an alternate routing decision that way?

 

[jdl508]

Ahh I ran into a problem just like this. My solution was I had a pix that needed to say if i need to go to subnet 10.x.x.x go out e1 else go out e0 and e2 was our lan. The way i got this to work was to create a site to site vpn on the side with the least traffic going through it. If the vpn deems traffic interesting (needing t go out route a) it will send it through the vpn otherwise it will automatically go out the default route. this is tough because your performance will take a hit due to the encryption. but for 5 users it shouldnt be an issue.
let me know if this helps
jdl

 

[baddos]

Why couldn't you setup a policy route-map for your internet router? Set the default route on the PIX to the internet router, and let it decide based on source address and destination where to go to. It wouldn't be optimal, but it should work.

 

[PIXFirewall]

jdl,

is it possible to give a sample config for the work-around that you suggested ?

thanks.

 

[baddos]

Replace the xxx.xxx.xxx.1 with one IP or subnet, and xxx.xxx.xxx.2 with the other IP or subnet.

This configuration takes one source IP or subnet and route it down one interface, while sending the rest down the other.

Try this on your Cisco Router...

config t
interface fastethernet0/0
description Interface facing the PIX
ip ploicy route-map test
exit
route-map test permit 10
match ip address 1
set ip next-hop xxx.xxx.xxx.1
!xxx.xxx.xxx.1 Is ISPA's router interface that is pointing to you
exit
route-map test permit 20
set ip next-hop xxx.xxx.xxx.2
!xxx.xxx.xxx.2 is ISPB's router inteface that is pointing to you
exit
access-list 1 permit 1.xxx.xxx.xxx 0.0.0.0
access-list 2 permit 2.xxx.xxx.xxx 0.0.0.0
!The 0.0.0.0 specifies those ip's as single hosts, and not subnets.

 

[baddos]

Also... You will probably want to speed up the processing of this policy map to use fast-switching to save on some CPU. To do that, enter this command on fa0/0 (Inside Ethernet) for your router.

ip route-cache policy

-Bad Dos

 

[jdl508]

pixfirewall,
for me the config did not work because i had too much traffic passing through however that was 40 users for your situation it should work fine you just have to stay on top of the tunnel. sometimes they lose connection for whatever reason.
Here is the relevant part of the router config on the vpn int of the PIX, basicall the PIX side of the config creates a site to site tunnel to this box.



!
--More--  !
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key ******* address 10.0.30.1
!
!
crypto ipsec transform-set wan_vpn2 esp-des esp-md5-hmac
!
!
crypto map vpn_1 11 ipsec-isakmp
set peer 10.0.30.1
set transform-set wan_vpn2
match address 120
!
!
!
interface Ethernet0
description connected to EthernetLAN
ip address 10.0.30.2 255.255.255.0
no ip directed-broadcast
ip nat outside
no ip route-cache
--More--   no ip mroute-cache
ipx network A1F9EDDA
crypto map vpn_1
!
interface Serial0
description - Connected to Downingtown
ip address 192.168.1.2 255.255.255.252
ip directed-broadcast
encapsulation ppp
no ip route-cache
no ip mroute-cache
ipx network DDD
!
interface Serial1
description - Connected to Broad Street
ip address 192.168.1.5 255.255.255.252
ip directed-broadcast
encapsulation ppp
no ip route-cache
no ip mroute-cache
ipx network BBB
!
router eigrp 100
--More--   network 128.1.0.0
network 192.168.1.0
no auto-summary
!
ip nat pool vpn-1 10.0.30.2 10.0.30.2 netmask 255.255.255.0
ip nat inside source route-map nonat pool vpn-1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.30.1
ip route 10.1.1.0 255.255.255.0 192.168.1.1
ip route 128.1.1.0 255.255.255.0 10.0.30.1
ip route 192.168.3.0 255.255.255.0 192.168.1.6
no ip http server
!
access-list 120 permit ip 192.168.3.0 0.0.0.255 128.1.1.0 0.0.0.255
access-list 120 permit ip 10.1.1.0 0.0.0.255 128.1.1.0 0.0.0.255
access-list 130 deny ip 192.168.3.0 0.0.0.255 128.1.1.0 0.0.0.255
access-list 130 permit ip 192.168.3.0 0.0.0.255 any
route-map nonat permit 10
match ip address 130
!
!
!
!
--More--  ipx router eigrp 100
network A1F9EDDA
network BBB
network DDD


any othere Q's let me know
jdl

 

[yizhar]

HI.

> I want to allow (say) 5 users to use the Internet through the DSL and another 5 users to use the Net through Leased Line,

I have implemented a very (almost identical) solution, using the same idea that baddos suggested - policy routing on the perimeter router.

The client has purchased a Cisco 827 with 1 Eth, 1 Serial (leased line), and 1 ADSL interface.
The Ethernet interface is connected to pix outside, and the other interfaces to the modems/line and ISP .

We have asked the ISP to do the router configuration, and I have configured the pix with one default gateway.
All internal clients are using nat+global to get an ip address from the subnet used by the ADSL connection, and the mail server have "static" at the pix with an ip address that belongs to the leased line ip subnet.
The router is configured (by ISP) with policy routing so that both incoming and outgoing traffic is routed the way we wanted it to.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar