cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
434
Views
0
Helpful
4
Replies

Pix NAT using ISP2 ?

apaxson
Level 1
Level 1

I really doubt there is a solution, so I'm challenging all you network gurus {wink}

I have two ISP's coming in. Right now, I have ISP2 bypassing the firewall with it's own router.

Now, I would like to be more efficient. I'm consolodating my two ISP's to one router tonight.

I realize the PIX won't do any kind of policy-based routing, but I would like the global NAT to go out ISP1 and all static NAT's go through ISP2.

Possible? I'm open to any ideas.

The Problem: My inbound HTTP traffic has engulfed all my other traffic. Now, I can't control the ISP side of the router, and placing QoS only affects outbound (obviously, if it hit my inbound interface, it's already taken the bandwidth).

I'd like to move the HTTP inbound (based on my global NAT users) to ISP1, and all my static entries to ISP2.

I may be wishing upon a star here, as I haven't come up with any good ideas, as the firewall isn't as flexible as a router (which is probably a good thing overall).

Thanks so much!!

1 Accepted Solution

Accepted Solutions

johansens
Level 4
Level 4

Hi there,

You have a couple of possibilities here..

First; You can indeed do some QoS on your inbound, but it will only be effective on TCP-sessions (which would seem to be the bulk of your traffic).Using WRED when shaping the traffic coming in will allow TCP to backoff and reduce the pressure.. You'll just have to manipulate the bandwidth setting of the interface and shape accordingly.

Second; The issue with the PIX is that it can only have *one* default gateway, and it doesn't do PBR. So you'll have to use external routers to do this work. If you have control over the access-routers towards the ISP's, you can do the moving of traffic 'easily'. You *will* need one router (can also use two) between your PIX and the ISP. This router can very well be the access-router. If you use one router, this router will have a total of three interfaces (one to each ISP and one to the PIX). If you use two routers, each need two interfaces (one to ISP, one to PIX) and a switch/hub to interconnect.

I presume you have public IP-addresses on the PIX and have a set from each ISP.

Do your usual thing on the PIX with these addresses, using one ISP-set for the PAT of users and the other ISP-set for your static inbounds. Now on your access-router to the ISPs, use PBR to choose the correct ISP based on the source-address coming from your PIX.

If you are using two routers in parallell, one to each ISP, you'll have to setup a HSRP-address for the PIX to use as gateway, and do the PBR on each router.

Let me know if it's too abstract.

Did it help? If so, please rate it.

View solution in original post

4 Replies 4

johansens
Level 4
Level 4

Hi there,

You have a couple of possibilities here..

First; You can indeed do some QoS on your inbound, but it will only be effective on TCP-sessions (which would seem to be the bulk of your traffic).Using WRED when shaping the traffic coming in will allow TCP to backoff and reduce the pressure.. You'll just have to manipulate the bandwidth setting of the interface and shape accordingly.

Second; The issue with the PIX is that it can only have *one* default gateway, and it doesn't do PBR. So you'll have to use external routers to do this work. If you have control over the access-routers towards the ISP's, you can do the moving of traffic 'easily'. You *will* need one router (can also use two) between your PIX and the ISP. This router can very well be the access-router. If you use one router, this router will have a total of three interfaces (one to each ISP and one to the PIX). If you use two routers, each need two interfaces (one to ISP, one to PIX) and a switch/hub to interconnect.

I presume you have public IP-addresses on the PIX and have a set from each ISP.

Do your usual thing on the PIX with these addresses, using one ISP-set for the PAT of users and the other ISP-set for your static inbounds. Now on your access-router to the ISPs, use PBR to choose the correct ISP based on the source-address coming from your PIX.

If you are using two routers in parallell, one to each ISP, you'll have to setup a HSRP-address for the PIX to use as gateway, and do the PBR on each router.

Let me know if it's too abstract.

Did it help? If so, please rate it.

Thanks Johansens!

I'm configuring the routers right now. I came up with your second recommendation (great minds think alike), however, my NAT just doesn't seem to be working.

I have one router with two interfaces (ISP1, ISP2) with the correct addressing.

The Pix is set with a default gateway to go to the router.

I then set up PBR on the router:

access-list 199 permit ip host 1.2.3.4 any

route-map ISP1_natTraffic permit 10

match ip address 199

set interface Serial0/0

And then applied the map to my ethernet interface (same subnet as "outside" on pix).

Oh, and I set the global (outside) 1 1.2.3.4

Now, after clearing the xlate table, I ran a policy debug on the router. Packets are being routed correctly out S0/0, but my firewall isn't accepting the responses:

Syslog shows lots of "Deny inbound (no xlate) ......"

When doing a "show xlate", the addresses are being properly created.

Kinda stuck.

Thanks!

Nevermind. I had a routing table issue. All is well.

Thanks for the replies!!

rosaldogarcia
Level 1
Level 1

i have cisco 3550 and i have 2 different ISP connected to my layer 3 switch.

i have vlan setup on this switch. The question is how to do route traffic

let say host from vlan 1 and vlan 2 will route to internet using isp1 and isp2?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: