Routing with a Pix

Answered Question
Jun 14th, 2007

Hi All,


We have a pix firewall on our network which acts as the gateway to the internet. We have however recently deployed an ISDN router on the network which will send specific traffic from an application out over an ISDN line. What I need to be able to do is route any traffic to a specific address 195.130.156.70 to the new router 192.168.0.5 as opposed to it going out via our pix. I would be grateful for any help on how to go about this.


we are using a pix 515


Thanks

Correct Answer by Jon Marshall about 9 years 8 months ago

Ian


I think your diagram basically confirms what i was saying. You have a pix acting as your default gateway for all your clients. So when your Jade client sends traffic which is meant to go over the ISDN line it first goes to the inside interface of the pix. You then have a route on the pix to say to get to the remote network go back out of the pix inside interface and to the 2800.


If i have interpreted this correctly and your pix is running version 6.x then this won't work. If you are running v7.x you can do this - it's called hairpinning.


If you can't do hairpinning you have a couple of options


1) Transfer the pix inside interface IP address to the 2800 and then add a default route on the 2800 to point back to the pix inside interface. This would mean you don't have to update the clients default-gateway but without knowing your full setup it may cause other problems.


2) Add a host specific route on each client that needs to talk down the ISDN line. If it's windows you can add in a cmd prompt window


route add "remote IP" mask 255.255.255.255 "2800 ethernet interface"


Hope this makes sense.


Jon


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.3 (3 ratings)
Loading.
pciaccio Thu, 06/14/2007 - 03:38

Use a sttic route on your router.

IP ROUTE 195.130.156.70 255.255.255.255


This shoulf forward any traffic destined to your 195 address to the ISDN router and all other traffic to go its normal route (thru PIX)...Good Luck..Please rate...

ianselby1 Thu, 06/14/2007 - 03:44

I think i tried this, but will give it another go. can i just confirm that you meant configure a static route on the pix.


Thanks

pciaccio Thu, 06/14/2007 - 06:31

You can add it onto the PIX but the better place to set it would be the router...

ianselby1 Thu, 06/14/2007 - 07:00

I understand, however the gateway for all of our pc's is the pix itself, we need to re-direct the traffic from the pix to the router. (hope that makes sense)



Jon Marshall Thu, 06/14/2007 - 04:13

Hi


What version is the pix running ? . If it is version 6.x and the traffic you want to go via the ISDN goes to the inside interface of the pix and then the pix has to forward it back out of the same interface it won't work .


You will need pix version 7.x to be able to do that.


If you don't have another router in your network then you could look to deploy host specific routes ( which is messy ) or upgrade your pix to v 7.x if it isn't already there.


Jon

ianselby1 Thu, 06/14/2007 - 07:06

Hi Jon,


I am not sure what version we are running but will take a look and see if I can find out. I am not entirely certain I follow what you are saying. To try and clarify what it is we are trying to achieve I have attached a diagram. The big curvy arrows indicates the flow of traffic i believe we need to achieve.



Correct Answer
Jon Marshall Thu, 06/14/2007 - 22:28

Ian


I think your diagram basically confirms what i was saying. You have a pix acting as your default gateway for all your clients. So when your Jade client sends traffic which is meant to go over the ISDN line it first goes to the inside interface of the pix. You then have a route on the pix to say to get to the remote network go back out of the pix inside interface and to the 2800.


If i have interpreted this correctly and your pix is running version 6.x then this won't work. If you are running v7.x you can do this - it's called hairpinning.


If you can't do hairpinning you have a couple of options


1) Transfer the pix inside interface IP address to the 2800 and then add a default route on the 2800 to point back to the pix inside interface. This would mean you don't have to update the clients default-gateway but without knowing your full setup it may cause other problems.


2) Add a host specific route on each client that needs to talk down the ISDN line. If it's windows you can add in a cmd prompt window


route add "remote IP" mask 255.255.255.255 "2800 ethernet interface"


Hope this makes sense.


Jon


anandramapathy Thu, 06/14/2007 - 22:44

If you have an L3 switch on your LAN before the PIX, then you can also put a route map on teh L3 switch to match the source IP of Jade & then set the next hop as ISDN router.


HTH- pls rate all useful posts

ianselby1 Mon, 06/18/2007 - 04:56

Jon,


you have certainly hit the nail on the head. As we are currently running pix 6.3 and cannot make use of 'hairpinning' that leaves us with the two options you mentioned. For now we will opt for option 2 with a static route on the client machine. As we are only talking about three users this poses no problem for us.


I guess the only thing left for me to do now is investigate how we can upgrade to pix 7.


Thanks to everyone who has provided help and insight into this matter.

Actions

This Discussion