Policy Based Routing Implementation

Unanswered Question
Feb 18th, 2009

At my location we have a primary and backup internet connection. The backup connection is completely underutilized; no traffic traverses it unless our main connection is down.

I'd like to use policy based routing to direct all http traffic across the backup link. I have a fair understanding of the PBR setup, I'm just not sure exactly where to implement it.

It's been explained to me that I would need to acquire a second PIX due to the way outbound PIX traffic does a route table lookup after traffic passes through the higher security interface. This is fine; I just want to verify that what I want to do is possible before investing in the hardware.

In the attached image, Switch 1 is our layer 3 switch. Router 1 is where both ISP's connect to our network.

I'm thinking I would just add another PIX, connect our web filter to it, set his default gateway to Router 1, and implement PBR on Router 1? Or would I configure PBR on Switch 1 (his current default route is Firewall 1) and configure Firewall 2 with a default gateway of ISP 2?

Sorry if this seems simple, I just don't get downtime windows very often and would like to get some feedback before trying anything.

On Router 1 routes are set up as follows:

ip forward-protocol nd

ip route [ISP 1]

ip route [ISP 2]

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jasonfaraone Wed, 02/18/2009 - 12:07

Thanks for the reply! Here is another question thats been bothering me...

Our web filter has a NAT'd IP in a range thats associated (route wise) with our primary ISP. It seems like I could make outbound traffic head out of my backup ISP, but it would try to come back over the primary ISP. It seems like the "fix" would be to have a second firewall and use it to NAT a static IP associated with our backup ISP?

bmcginn Wed, 02/18/2009 - 13:22

Have you thought about getting your own AS and a block of addresses?

You could do that - but I think that is over complicating things. You could as brad suggestred get your own AS number and IP range.

You could possibly change the internal IP address between the router and pix to a seperate unroutable IP subnet. Then perform the NAT on the router facing the 2 ISP's. That way you could equaly load balance and the routing would route out and back over the same ISP link.



This Discussion