Re: MSFC routing with FlexWan/PA-T3

jamie.sweeney · ‎03-25-2003

I am looking for some general advice as to prefered method of routing traffic though my MSFC.

current config:

6509 with msfc2 routing (2) NAT'd vlans

(VLAN1 = 192.168.1.x & VLAN2 = 192.168.2.x)

MSFC interface address 192.168.1.254 & 192.168.2.254

default route to PIX at 192.168.1.1

configuration goal:

integrate new flexwan pa-t3 serial interface on MSFC into routed VLans

Serial 3/0/0

ip address 99.99.99.1/24

hidden vlan 1025

I am unsure how to protect the nat vlans from inherited routes/spoof traffic or how to redirect traffic from this serial interface/to this serial interface through a local NAT'd inside pix interface. I have tried to make this fairly general and non-complex but if there is anything I can clarify please let me know and thanks in advance.

ivillegas · ‎03-31-2003

I am not really sure if the topology that you are suggesting will help you in protecting the NATed Vlans as you are planning to terminate the T3 onto the Cat6K box itself.

You must terminate the T3 link on the router outside the PIX box to satisfy your security requirements.

shamilton-wilkes · ‎03-31-2003

I would use policy routing to set next-hop on anything that came in on the T3 to the PIX. It's not as good as having a separate router for the T3, but avoids traffic shortcutting around the PIX.

Look up route-map on CCO, the ACL you match to set next hop can just be a two liner - "ip access-list standard / permit ip any"

Simon

vramanaiah · ‎03-31-2003

I am not sure if this is going to help as the traffic might land on the inside interface of PIX and I am not sure how it can apply the security policy?

jamie.sweeney · ‎03-31-2003

yes it did not seem ideal. I inherited the eq and realized I was puzzled as to how to use the flexwan module and still do vlan routing. It does not seem like an ideal pairing, though I assumed I was overlooking something.