Using a second Internet connection with a PIX 515E

Answered Question
Mar 12th, 2008

Hello guys,

I need to allow certain VLANs to access the Internet freely but firewalled. We have a PIX 515E as a perimeter firewall with a dedicated Internet link for the corporate access (corporate web browsing, incoming mail, etc.) and we have a second Internet link (a cheap but fast ADSL connection) that we'd like to connect to the PIX to be used by non-corporate users that are supposed to have free Internet access thru the special configured VLANs.

The idea behind this is having everyone under the same LAN infrastructure while at the same time the non-corporate users (visitors, contractors, etc. connected to special VLANs) can access the Internet without affecting our regular link performance. Our perimeter security at a glance is something like the attached image shows.

At first I thought that if I needed the PIX to manage both Internet links, I'd have to configure some kind of Policy-Based Routing inside the PIX. I've been searching this forum and the Internet and it seems PIX is (surprisingly for me) not able to do that... since the PIX is our perimeter firewall, it's the one managing the routing to the Internet and also NATing and everything else. For me it's the place to connect the ADSL but I have to find a way to allow some VLANs in the internal network to access the Internet thru the ADSL and the rest of the traffic must go thru the regular Internet access.

I found this article (http://www.velocityreviews.com/forums/t36573-pix-policy-routing.html) that says something about route-maps which are related to OSPF configuration. We have a rather small network so we don't use routing protocols... then I wonder how could I go from a static-routing PIX to a OSPF-running PIX to implement route-maps successfuly... any ideas?... is this the right way to go?

Maybe I could just pass the traffic and then made the PBR in the perimeter external router which should be able to do PBR...

What would you recommend?

Thanks in advance,

Regards,

Alberto

I have this problem too.
0 votes
Correct Answer by Richard Burts about 8 years 8 months ago

Alberto

While the address assigned to your router via DHCP is subject to change, I would expect the address of the provider next hop to be pretty stable. So you would be fairly safe with your current implementation.

Depending on the version of code you are running you might experiment with a different set command:

set ip next-hop dynamic dhcp

I have not used this alternative of the set command but it sure looks like it would do what you want it to do and used the next hop learned from DHCP.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
brettmilborrow Wed, 03/12/2008 - 09:49

Although I have not configured this before, it seems you may be able to configure this on the firewall.

just create an acl with the clients as a source, dest = any.

then a route map with a match to the above acl, and a set next-hop to the ADSL router

Should work! I am going to check this in a lab now...

albertoff Wed, 03/12/2008 - 11:22

It's a PIX running 6.3(5) and has an unrestricted license.

We're planning to upgrade it to 7.0.7 which is GD... it has the RAM and Flash it needs for this.

Thanks,

Alberto

albertoff Mon, 05/05/2008 - 08:10

Hello...

Well, I rather not mess with the PIX configuration since I'm not sure what I want is possible. So I changed my approach to the problem...

I connected the ADSL modem to the perimeter router. The interface facing the modem has a certified IP address via DHCP since the ISP doesn't give us static addresses (let's call it C.C.C.C). The interface facing the ISP has a static certified address (A.A.A.A). The interface facing the PIX has also a static certified address (B.B.B.1) belonging to the /28 subnet of certified addresses that the ISP gave us with the Internet link.

With the PIX I can play with access lists and translations so I PAT certain users to an specific certified address. Normal traffic would go out via B.B.B.2 while some traffic would go out via B.B.B.3.

This address (B.B.B.3) would be normally routed to the dedicated Internet link via A.A.A.A but with PBR in the perimeter router, the traffic is routed to the interface facing the ADSL modem (C.C.C.C). I have also configured a static NAT in the perimeter router so this traffic goes out to the Internet with a certified IP from the ADSL service and not from the dedicated Internet link (so this NAT changes one certified IP address -B.B.B.3- for another -C.C.C.C- so traffic can come and go via the ADSL link).

Now, the problem... PBR has a route-map that defines the traffic's route via "set ip interface" parameter... I need to use this because the ADSL link has dynamic addreses so I need to set the route via interface and not IP. This doesn't work. I then changed the route-map to "set ip next-hop C.C.C.X" (C.C.C.X being the default-gwy given by the ADSL's DHCP server) and everything works fine... now, this option will work as long as the ADSL's default-gwy remains C.C.C.X... but this could change...

What would you suggest?... NAT seems to be working OK by the way.

Regards,

Alberto

Correct Answer
Richard Burts Mon, 05/05/2008 - 09:15

Alberto

While the address assigned to your router via DHCP is subject to change, I would expect the address of the provider next hop to be pretty stable. So you would be fairly safe with your current implementation.

Depending on the version of code you are running you might experiment with a different set command:

set ip next-hop dynamic dhcp

I have not used this alternative of the set command but it sure looks like it would do what you want it to do and used the next hop learned from DHCP.

HTH

Rick

albertoff Mon, 05/05/2008 - 12:03

Rick,

Thanks for your quick answer... the "set ip next-hop dynamic dhcp" looks like a solution. I wasn't aware this command was available. Unfortunately the IOS currently installed doesn't support it.

I'll live with the current configuration while I plan an IOS upgrade...

Thanks!

Bye

Richard Burts Mon, 05/05/2008 - 12:34

Alberto

It is unfortunate that your current IOS does not support this option. I believe that you are relatively safe with your current solution and that when you are able to plan and execute an IOS upgrade that you will be even better configured when you can use this new option.

I am glad that my response was helpful. Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will read a response which did resolve the question.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

Actions

This Discussion