Routing between Internet accesses

Answered Question
Jul 8th, 2009

I have 2 sources of internet access. I have one which the employees access corp's network (webservers DB) and the internet. This network goes out a Pix 515. The other is a DSL box that technology uses for testing, updating servers and anything that on corps network could take hrs instead of minutes. We switch between web access through proxy servers.

Currnetly I have created VLANs to separate networks. Three buildings with 1500 machine a piece on one /16 subnet did not made sense to me. I put in place a pix 501 on the DSL line with a /30 connecting to my 6500. Corp could not get us VPN access, another reason for the DSL line.

The DSL was setup before directly connected into a proxy server. We would just change the proxy to get out the "Back Door" if needed.

Since I placed the pix in place I have not been about to get out through the DSL.

The setup:

(Corp Internet,Pix515 [10.0.20.1/16)>>>>>>>([F3/1] 6500 [F3/2][10.25.0.1/30])<<<<<<<(DSL Pix501 [10.25.0.2/30])

6500 def-gate 0.0.0.0 0.0.0.0 10.0.20.1 (Pix515)

10.0.0.0/16 is the old network and must keep it this way for the time being. This range is on its own vlan. In the future it will be a /30.

The proxy has 2 ports in and out.

I am confused at this part.

Tried:

I created a VLAN for just the proxy. The IN interface has an IP 172.20.20.120/24 no GW. This is on the tech vlan.

The out is 10.25.1.2/24 GW=10.25.1.1.

In the 6500 I added the route 10.25.1.0 255.255.255.0 10.25.0.2 (Pix501)

I am lacking the imagination for a solution on this problem.

I am sorry for this being so long, the last issue I had, I just put the problem. The form was saying the network was the issue and spent a week explaining one by one the setupof the network. In the end I just forgot to put sw nonego. So, my appologies in advance.

Thank you for your help.

I have this problem too.
0 votes
Correct Answer by xcz504d1114 about 7 years 4 months ago

Much better :)

So is there a specific set of users you would like to use the DSL? I have 2 internet pops at my main facility, I use a route-map to affect who goes out what pop.

For instance, I have 2 DS3's, I have all users pointed out the primary DS3, I have this setup with a default route (ip route 0.0.0.0 0.0.0.0 10.1.2.1) and then I selectively let other users to use the other DS3, to do this I first defined who could use the DS3 (vlan 15 users etc.)

I then wrote an access list

access-list 100 deny ip 10.1.15.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 100 permit ip 10.1.15.0 0.0.0.255 any

To deny 10.1.15.0/24 users to any internal ip address and to allow them destined to any other host. Without the deny statement, all traffic, even traffic destined to your inside network will be sent to your internet pop.

I created a route-map

route-map DS3 permit 10

match ip address 100 (100 is the access list number)

set ip next-hop 10.1.2.10 (ip address of the other internet pop)

Then set apply it to your inbound interface

interface vlan 15

ip policy route-map DS3

This would effectively do load sharing (not load balancing) in order to load balance you would need to use a routing protocol such as EIGRP, something like, create static routes then redistribute them into the routing protocol with equal path cost, or if your PIX's support routing protocols, you could also turn those on to handle load balancing as well.

I think this is a solution you are looking for, if not let me know what I'm missing from your question and we will get it straightened out :)

Have you tested your PIX 501 to make sure it is configured properly to access the internet through the DSL? IE can you ping google from the PIX?

HTH,

Craig

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
xcz504d1114 Wed, 07/08/2009 - 18:49

I'm going to try to help here, but I had a hard time understanding your question amongst all the explanations, I tried skimming for a question mark but couldn't find one :)

So, reading through this a few times to make sure I understood, this is what I took from it:

1) You have 2 internet pops

2) The DSL one is the one you are having problems with

3) The problem began when you installed the Pix 501

And then there is some diagram you put up there that I don't quite understand, it looks like your DSL plugs into your 6500 and your PIX? I liked kindergarten, so I'm a fan of simple shapes and markers, feel free to put that network diagram on a bitmap and upload it :)

I have a question, what is the proxy that you would "change" to make your backdoor?

Where does the proxy fit into your network diagram?

I don't really understand completely what you are asking for, based on what I summarized, it sounds like we need to figure out what you did wrong with the PIX, but you mentioned being confused right after you mentioned the proxy having 2 ports in and out, so is the proxy your question?

Trying to help :)

Craig

o.primous Wed, 07/08/2009 - 20:00

Sorry for the confusion.

Yes, the problem started when I installed the pix501 on the DSL line for the VPN connection. Before the DSL was connected to the out port on the proxy and an inside IP on the in port.

I make a quick diagram.

6500 3/2 IP=10.25.0.5/30

ip route 0.0.0.0 0.0.0.0 10.0.20.1/16

501 inside IP=10.25.0.6/30

515 inside IP=10.0.20.1/16 on VLAN5

What I need to do is be able to access both Internet Access or be able to go outside on both pix 515 & 501 at least for VLAN 15.

I put the proxy on it own VLAN, trying to setup a route so that I could access. Its not set in stone. I was putting the proxy outside interface in to vlan20 and the inside in vlan 15.

The proxy is just a way for us to quickly switch between corp and back door Internet access.

I can access corp side with the route 0 0 10.0.20.1. I just need to access the internet on 501.

Attachment: 
Correct Answer
xcz504d1114 Wed, 07/08/2009 - 21:20

Much better :)

So is there a specific set of users you would like to use the DSL? I have 2 internet pops at my main facility, I use a route-map to affect who goes out what pop.

For instance, I have 2 DS3's, I have all users pointed out the primary DS3, I have this setup with a default route (ip route 0.0.0.0 0.0.0.0 10.1.2.1) and then I selectively let other users to use the other DS3, to do this I first defined who could use the DS3 (vlan 15 users etc.)

I then wrote an access list

access-list 100 deny ip 10.1.15.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 100 permit ip 10.1.15.0 0.0.0.255 any

To deny 10.1.15.0/24 users to any internal ip address and to allow them destined to any other host. Without the deny statement, all traffic, even traffic destined to your inside network will be sent to your internet pop.

I created a route-map

route-map DS3 permit 10

match ip address 100 (100 is the access list number)

set ip next-hop 10.1.2.10 (ip address of the other internet pop)

Then set apply it to your inbound interface

interface vlan 15

ip policy route-map DS3

This would effectively do load sharing (not load balancing) in order to load balance you would need to use a routing protocol such as EIGRP, something like, create static routes then redistribute them into the routing protocol with equal path cost, or if your PIX's support routing protocols, you could also turn those on to handle load balancing as well.

I think this is a solution you are looking for, if not let me know what I'm missing from your question and we will get it straightened out :)

Have you tested your PIX 501 to make sure it is configured properly to access the internet through the DSL? IE can you ping google from the PIX?

HTH,

Craig

Actions

This Discussion