ip migration assistance needed

Unanswered Question
Aug 28th, 2007

Hi there - We are getting ready to migrate from one ISP to another and I am running into some issues getting it to work. Essentially, our network is currently layed out like this:

ISP->2620RTR->PIXFW1->DMZ,SERV,CORE switches

We had some extra gear which I setup for the new ISP and that is layed out like this:

ISP2->2620RTR2->PIXFW2->DMZ,SERV,CORE switches (these are the same switches)

The only differences are the IP addresses of the PIX firewalls which are in the same subnets. I setup a test server on the new ISP and pointed it to PIX2 as it's default gateway. It is able to get out to the internet and it can be accessed via it's public IP so that it working just fine. However, internal traffic is not working. I believe it is because the traffic flows like this:

workstation->CORESW->PIX1(inside)->PIX1(dmz)->DMZSW->server the return traffic goes like this:

server->DMZSW->PIX2(dmz)->then drops because the PIX never saw the original syn packet and drops the syn-ack.

I could also be completely wrong with my theories so if I am please let me know. If anybody has any suggestions to help me out I would be very appreciative. Also, on the migration note, does anybody have any good links to documentation regarding source based routing? I believe that I need to set up something like that on our routers so that we do not get asynchronous routing when we begin to migrate our DNS over. I can already see that we will run into similar routing issues once we get moving on that so any ideas regarding that would be appreciated as well.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)

I assume PIX does NAT. Let's say ISP1 assigned for you and ISP2 assigned

I'd go for something like this:

Keep the original configuration. Get a switch (a VLAN on a switch) between the router and the PIX. Add the second router in the same switch (vlan). Set up policy routing on the original router to send trafic from to the second router wich will send it to ISP2.

PIX will NAT as you like and will keep sending all trafic (both and to the original router so you don't need to modify it's routing table.

Original router will send traffic to ISP1 interface and traffic to the second router.

When you finish migrating just switch inside ip addresses on the routers so PIX will send all traffic to the second one. Policy routing will not be in place since first router does not receive anything so you can turn it off.

Good luck,


mpozorski Tue, 08/28/2007 - 10:03

You are correct in that the PIX does NAT. I actually do have a switch between the routers and the PIX's. It is just flat now as I was going to convert the PIX's into an HA configuration once we are all migrated over. I will try putting a VLAN onto that switch and connecting the routers and both PIX's to it. I am going to look around and see if I can find any good documents on how to configure the policy routing. Thanks for the advice.

You don't need vlans on that switch. "Flat" is just fine :-). You do need an address space between routers and PIX large enough to accommodate 3 hosts (4 if you use 2 FW).

Let's assume this:

router1 inside address

router2 inside address

PIX outside address

On PIX you set up NAT as you like and set the default route to

On Router2 you set a default route to ISP2 and a route to pointing to PIX outside

On Router1 configuration should look like this

ip route ISP1

ip route

ip route

access-list 126 permit any

route-map ISP2 permit 1

match ip address 126

set ip next-hop

interface fa0

ip address

ip policy route-map ISP2

This may be not the best thing but it will work. I think it's ok for migrating only.

mpozorski Tue, 08/28/2007 - 14:09

Thanks for the pointers. I think I have a pretty good understanding of what I need to do once I get a window scheduled to modify the routers. I will give it a shot and see if it works. Thank you again.


This Discussion