At my location we have a primary and backup internet connection. The backup connection is completely underutilized; no traffic traverses it unless our main connection is down.
I'd like to use policy based routing to direct all http traffic across the backup link. I have a fair understanding of the PBR setup, I'm just not sure exactly where to implement it.
It's been explained to me that I would need to acquire a second PIX due to the way outbound PIX traffic does a route table lookup after traffic passes through the higher security interface. This is fine; I just want to verify that what I want to do is possible before investing in the hardware.
In the attached image, Switch 1 is our layer 3 switch. Router 1 is where both ISP's connect to our network.
I'm thinking I would just add another PIX, connect our web filter to it, set his default gateway to Router 1, and implement PBR on Router 1? Or would I configure PBR on Switch 1 (his current default route is Firewall 1) and configure Firewall 2 with a default gateway of ISP 2?
Sorry if this seems simple, I just don't get downtime windows very often and would like to get some feedback before trying anything.
Thanks for the reply! Here is another question thats been bothering me...
Our web filter has a NAT'd IP in a range thats associated (route wise) with our primary ISP. It seems like I could make outbound traffic head out of my backup ISP, but it would try to come back over the primary ISP. It seems like the "fix" would be to have a second firewall and use it to NAT a static IP associated with our backup ISP?
You could do that - but I think that is over complicating things. You could as brad suggestred get your own AS number and IP range.
You could possibly change the internal IP address between the router and pix to a seperate unroutable IP subnet. Then perform the NAT on the router facing the 2 ISP's. That way you could equaly load balance and the routing would route out and back over the same ISP link.
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...