03-25-2003 11:58 AM - edited 03-02-2019 06:08 AM
I am looking for some general advice as to prefered method of routing traffic though my MSFC.
current config:
6509 with msfc2 routing (2) NAT'd vlans
(VLAN1 = 192.168.1.x & VLAN2 = 192.168.2.x)
MSFC interface address 192.168.1.254 & 192.168.2.254
default route to PIX at 192.168.1.1
configuration goal:
integrate new flexwan pa-t3 serial interface on MSFC into routed VLans
Serial 3/0/0
ip address 99.99.99.1/24
hidden vlan 1025
I am unsure how to protect the nat vlans from inherited routes/spoof traffic or how to redirect traffic from this serial interface/to this serial interface through a local NAT'd inside pix interface. I have tried to make this fairly general and non-complex but if there is anything I can clarify please let me know and thanks in advance.
03-31-2003 02:13 PM
I am not really sure if the topology that you are suggesting will help you in protecting the NATed Vlans as you are planning to terminate the T3 onto the Cat6K box itself.
You must terminate the T3 link on the router outside the PIX box to satisfy your security requirements.
03-31-2003 03:46 PM
I would use policy routing to set next-hop on anything that came in on the T3 to the PIX. It's not as good as having a separate router for the T3, but avoids traffic shortcutting around the PIX.
Look up route-map on CCO, the ACL you match to set next hop can just be a two liner - "ip access-list standard / permit ip any"
Simon
03-31-2003 08:29 PM
I am not sure if this is going to help as the traffic might land on the inside interface of PIX and I am not sure how it can apply the security policy?
03-31-2003 08:43 PM
yes it did not seem ideal. I inherited the eq and realized I was puzzled as to how to use the flexwan module and still do vlan routing. It does not seem like an ideal pairing, though I assumed I was overlooking something.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: