I have 2 sources of internet access. I have one which the employees access corp's network (webservers DB) and the internet. This network goes out a Pix 515. The other is a DSL box that technology uses for testing, updating servers and anything that on corps network could take hrs instead of minutes. We switch between web access through proxy servers.
Currnetly I have created VLANs to separate networks. Three buildings with 1500 machine a piece on one /16 subnet did not made sense to me. I put in place a pix 501 on the DSL line with a /30 connecting to my 6500. Corp could not get us VPN access, another reason for the DSL line.
The DSL was setup before directly connected into a proxy server. We would just change the proxy to get out the "Back Door" if needed.
Since I placed the pix in place I have not been about to get out through the DSL.
(Corp Internet,Pix515 [10.0.20.1/16)>>>>>>>([F3/1] 6500 [F3/2][10.25.0.1/30])<<<<<<<(DSL Pix501 [10.25.0.2/30])
6500 def-gate 0.0.0.0 0.0.0.0 10.0.20.1 (Pix515)
10.0.0.0/16 is the old network and must keep it this way for the time being. This range is on its own vlan. In the future it will be a /30.
The proxy has 2 ports in and out.
I am confused at this part.
I created a VLAN for just the proxy. The IN interface has an IP 172.20.20.120/24 no GW. This is on the tech vlan.
The out is 10.25.1.2/24 GW=10.25.1.1.
In the 6500 I added the route 10.25.1.0 255.255.255.0 10.25.0.2 (Pix501)
I am lacking the imagination for a solution on this problem.
I am sorry for this being so long, the last issue I had, I just put the problem. The form was saying the network was the issue and spent a week explaining one by one the setupof the network. In the end I just forgot to put sw nonego. So, my appologies in advance.
Thank you for your help.
Much better :)
So is there a specific set of users you would like to use the DSL? I have 2 internet pops at my main facility, I use a route-map to affect who goes out what pop.
For instance, I have 2 DS3's, I have all users pointed out the primary DS3, I have this setup with a default route (ip route 0.0.0.0 0.0.0.0 10.1.2.1) and then I selectively let other users to use the other DS3, to do this I first defined who could use the DS3 (vlan 15 users etc.)
I then wrote an access list
access-list 100 deny ip 10.1.15.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.1.15.0 0.0.0.255 any
To deny 10.1.15.0/24 users to any internal ip address and to allow them destined to any other host. Without the deny statement, all traffic, even traffic destined to your inside network will be sent to your internet pop.
I created a route-map
route-map DS3 permit 10
match ip address 100 (100 is the access list number)
set ip next-hop 10.1.2.10 (ip address of the other internet pop)
Then set apply it to your inbound interface
interface vlan 15
ip policy route-map DS3
This would effectively do load sharing (not load balancing) in order to load balance you would need to use a routing protocol such as EIGRP, something like, create static routes then redistribute them into the routing protocol with equal path cost, or if your PIX's support routing protocols, you could also turn those on to handle load balancing as well.
I think this is a solution you are looking for, if not let me know what I'm missing from your question and we will get it straightened out :)
Have you tested your PIX 501 to make sure it is configured properly to access the internet through the DSL? IE can you ping google from the PIX?