Cisco 515e PIX Firewall: Route only port 80 and 443 traffic

Matt.Fields · ‎10-24-2008

I have a PIX 515e firewall with 3 interfaces (Inside, ISP_1, ISP_2). I currently have everything routed to ISP_1 but I would like to route all Web Browsing traffic (port 80 and 443) to ISP_2 and all other traffic continue out ISP_1.

I have setup an ACL specifying all traffic going to 0.0.0.0 on port 80 and 443 to use ISP_2. But for some reason when I do that, that ACL rule reverts back to ISP_1. I am using the PIX PDM GUI.

Also, I do not have a static route defined for the ISP_2 interface, only an ACL. I am not sure how to define that route since I already have one ISP_1. Would it be somehthing like this?

<local network> <Local subnet> route to <ISP_1>

<local network> <Local subnet> route to <ISP_2>

I am not sure how the above would work. I still want all non port 80 and 443 traffic to go out through ISP_1.

Your help is appreciated.

Collin Clark · ‎10-24-2008

I'm afraid you can't do that with a PIX. You could do it with a router and a route map.

Matt.Fields · ‎10-24-2008

So would I need 2 Firewalls then, for each ISP connection?

Also is a layer 3 Cisco switch able to route map?

dmooreami · ‎10-24-2008

Correct you need two firewalls.

Yes, you can route-map with a L3 cisco switch.

you would use the route map with an extended access-list to push the traffic to the specific firewall. Google "cisco route-map" for examples

Collin Clark · ‎10-24-2008

If you want to differentiate traffic flows then yes. You could use one router and connect to both ISPs and do the route map (as well as firewall services). I believe that route map support on L3 switches depends on the platform and Enhance Image IOS.