I have a client with a CSS 11151 content switch. In front of the CSS (the "outside" interface), the client has a PIX and a 3060 VPN concentrator. Some of the traffic comes in from the 3060 and some from the PIX, hence the reply traffic needs to go through two different gateways depending on where it came from. Up to this point, they put a 7120 router on the segment (its only connection) for the sole purpose of sending ICMP redirects to the CSS. The 7120 is the default gateway for the CSS. Obviously, this is not the greatest arrangement and has been made worse since they are experiencing significant performance issues when traffic begins to exceed about 4.5Mbps through the CSS.
The client says they tried to configure a default route to the PIX and another static route to the 3060 but then *all* of their traffic began following the route to the 3060. To further complicate the issue, they are running redundant SCAs. Their current routing configuration is this:
ip route 0.0.0.0 0.0.0.0 1.1.1.1 1
ip route 0.0.0.0 0.0.0.0 192.168.102.5 1
ip route 0.0.0.0 0.0.0.0 192.168.102.6 1
ip route 192.168.100.0 255.255.255.0 1.1.1.1 1
ip route 10.0.0.55 255.255.255.255 1.1.1.1 1
192.168.102.5 and .6 are the two SCAs. 1.1.1.1 is the 7120. 1.1.1.2 is the PIX and 1.1.1.3 is the 3060.
Logically, it seems that I could add a route to 10.7.0.0/16 via 1.1.1.3, 192.168.102.5, and 192.168.102.6. I would think this would allow the CSS to send the traffic through the appropriate gateway instead of having to use the 7120 for ICMP redirects.
Since this is such a strange CSS deployment, I have not been able to find anything on CCO that I could use as a reference configuration. But, according to the documentation, it seems that the "ip route" statement in the CSS works just like it would in any other device so I do not understand why the client would have had problems.
Can anybody help with this?