01-06-2009 01:45 AM - edited 03-04-2019 03:20 AM
Hi,
I have a Cisco 1700 series router and a PIX 506 configured on the network. Both devices have interfaces directly connected to the LAN and WAN.
Although I would like to configure the PIX as the default gateway I am unable to due to the fact that there are routes on the 1700 router that wouldn't be accessible to the clients (same interface traffic on the PIX etc). But at the same time I would like all internet traffic to pass via the pix and the GRE VPN tunnel traffic to pass via the router. The CPU utilisation is often quite high on the router due to the GRE VPN traffic, which is why I want to avoid passing general internet traffic through it.
I have configured the router as the defatlt gateway, however, I have changed the default route on the router to use the PIX. My question is this, is there a performance issue with this setup? My understanding of this is that the router should send an ICMP redirect for all the internet traffic which should then pass via the PIX? If the router is running particularly slow, is this setup going to impact general internet traffic?
Thanks
01-06-2009 02:49 AM
Hello Al,
I would change the configuration on the device that is more internal:
default route pointing to pix
a PBR rule that redirects GRE traffic to the 1700 router
access-list 112 permit gre any any
route-map divert_GRE permit 10
match ip address 112
set ip next-hop c1700.lan.ipaddr
applied on the internal interface of the the device inside
int vlan 10
ip policy route-map divert_GRE
because it works on inbound packets
Current settngs have an impact in CPU of 1700 and it is not a good thing being already high for GRE traffic handling.
Hope to help
Giuseppe
01-06-2009 03:00 AM
Hi,
Thanks for the post. Both devices are equal in terms of their position on the network i.e. both have interfaces that are directly connected to the LAN & WAN, and I was hoping to keep things that way.
With your suggestion, there is still the issue of, if the PIX is the default gateway then clients won't be bale to get to hosts that are in the routing table of the router.
Thanks
01-06-2009 04:37 AM
Hello Al,
being the most specific route used first you could add some static routes for the hosts to be reached via the C1700.
In this way you can avoid all the icmp redirect overhead.
But this can work if there is a network device internal that faces the pair C1700 and PIX.
Doing this on lan clients can be long and boring.
If the hosts to be reached are within RFC1918 (private ip addresses) you can also make static routes for the private address range of use pointing to the C1700.
I also think that the suggestion of PBR cannot work if GRE tunnels start from the C1700 so my first post cannot apply to your scenario.
Hope to help
Giuseppe
01-06-2009 04:39 AM
Thanks for your help with this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide