I need to allow certain VLANs to access the Internet freely but firewalled. We have a PIX 515E as a perimeter firewall with a dedicated Internet link for the corporate access (corporate web browsing, incoming mail, etc.) and we have a second Internet link (a cheap but fast ADSL connection) that we'd like to connect to the PIX to be used by non-corporate users that are supposed to have free Internet access thru the special configured VLANs.
The idea behind this is having everyone under the same LAN infrastructure while at the same time the non-corporate users (visitors, contractors, etc. connected to special VLANs) can access the Internet without affecting our regular link performance. Our perimeter security at a glance is something like the attached image shows.
At first I thought that if I needed the PIX to manage both Internet links, I'd have to configure some kind of Policy-Based Routing inside the PIX. I've been searching this forum and the Internet and it seems PIX is (surprisingly for me) not able to do that... since the PIX is our perimeter firewall, it's the one managing the routing to the Internet and also NATing and everything else. For me it's the place to connect the ADSL but I have to find a way to allow some VLANs in the internal network to access the Internet thru the ADSL and the rest of the traffic must go thru the regular Internet access.
I found this article (http://www.velocityreviews.com/forums/t36573-pix-policy-routing.html) that says something about route-maps which are related to OSPF configuration. We have a rather small network so we don't use routing protocols... then I wonder how could I go from a static-routing PIX to a OSPF-running PIX to implement route-maps successfuly... any ideas?... is this the right way to go?
Maybe I could just pass the traffic and then made the PBR in the perimeter external router which should be able to do PBR...
What would you recommend?
Thanks in advance,
While the address assigned to your router via DHCP is subject to change, I would expect the address of the provider next hop to be pretty stable. So you would be fairly safe with your current implementation.
Depending on the version of code you are running you might experiment with a different set command:
set ip next-hop dynamic dhcp
I have not used this alternative of the set command but it sure looks like it would do what you want it to do and used the next hop learned from DHCP.