Hi there - We are getting ready to migrate from one ISP to another and I am running into some issues getting it to work. Essentially, our network is currently layed out like this:
We had some extra gear which I setup for the new ISP and that is layed out like this:
ISP2->2620RTR2->PIXFW2->DMZ,SERV,CORE switches (these are the same switches)
The only differences are the IP addresses of the PIX firewalls which are in the same subnets. I setup a test server on the new ISP and pointed it to PIX2 as it's default gateway. It is able to get out to the internet and it can be accessed via it's public IP so that it working just fine. However, internal traffic is not working. I believe it is because the traffic flows like this:
workstation->CORESW->PIX1(inside)->PIX1(dmz)->DMZSW->server the return traffic goes like this:
server->DMZSW->PIX2(dmz)->then drops because the PIX never saw the original syn packet and drops the syn-ack.
I could also be completely wrong with my theories so if I am please let me know. If anybody has any suggestions to help me out I would be very appreciative. Also, on the migration note, does anybody have any good links to documentation regarding source based routing? I believe that I need to set up something like that on our routers so that we do not get asynchronous routing when we begin to migrate our DNS over. I can already see that we will run into similar routing issues once we get moving on that so any ideas regarding that would be appreciated as well.
I assume PIX does NAT. Let's say ISP1 assigned 220.127.116.11/24 for you and ISP2 assigned 18.104.22.168/24
I'd go for something like this:
Keep the original configuration. Get a switch (a VLAN on a switch) between the router and the PIX. Add the second router in the same switch (vlan). Set up policy routing on the original router to send trafic from 22.214.171.124/24 to the second router wich will send it to ISP2.
PIX will NAT as you like and will keep sending all trafic (both 126.96.36.199/24 and 188.8.131.52/24) to the original router so you don't need to modify it's routing table.
Original router will send 184.108.40.206/24 traffic to ISP1 interface and 220.127.116.11/24 traffic to the second router.
When you finish migrating just switch inside ip addresses on the routers so PIX will send all traffic to the second one. Policy routing will not be in place since first router does not receive anything so you can turn it off.
You are correct in that the PIX does NAT. I actually do have a switch between the routers and the PIX's. It is just flat now as I was going to convert the PIX's into an HA configuration once we are all migrated over. I will try putting a VLAN onto that switch and connecting the routers and both PIX's to it. I am going to look around and see if I can find any good documents on how to configure the policy routing. Thanks for the advice.
Thanks for the pointers. I think I have a pretty good understanding of what I need to do once I get a window scheduled to modify the routers. I will give it a shot and see if it works. Thank you again.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...