Re: Redistribution with PIX and router

mmorris11 · ‎09-06-2006

This is a lab scenario that closely depicts a [not yet] production solution. The desired result is to leverage an existing WAN router with available interfaces rather than use a seperate WAN router for the ISP edge but to send internet traffic through the PIX. I have used two ospf areas so that the PIX can "track" the default route on the router which will point to a frame relay sub interface in production.

The challenge that I immediately faced was that although my router has multiple interfaces it only has one routing table. I need to have a static default route pointing to the ISP but since this gets propogated through EIGRP, I used policy routing to get the internet traffic to the PIX.

As far as I can tell this solution will work for me but I am sure that some of you will have some thoughts on this scenario. I am curious about other (maybe cleaner) ways of doing this. I attached a visio which includes configs.

TIA

-mike

sundar.palaniappan · ‎09-06-2006

Mike,

I am unable to view the diagram due to a visio problem on my end. But, if your concern is the static default route getting propogated via EIGRP then you could filter the same with a distribute-list under EIGRP process. This way you could have a static default route pointing to the ISP and don't have to worry about the EIGRP neighbor routers learning the default route from this router.

If I misunderstood your requuirement then could you just clarify that.

HTH

Sundar

mmorris11 · ‎09-06-2006

Last two.

mmorris11 · ‎09-06-2006

If I originate a default route in ospf on the inside of the pix, it propagates throughout eigrp fine via residtribution on RTC and this is desired except on RTC which goes to the ISP. Here I want a static route to the outbound interface on RTC. When a static route with an administrative distance less than 170 is entered on RTC then the redistributed default route (from OSPF) gets knocked out of the routing table on RTB and RTB has no default route at all until I redistribute static routes on RTC into eigrp. If I raise the admin distance of the static route above 170 on RTC, the static route floats and RTC prefers the default route originating from OSPF and sending traffic back to the inside of the PIX. What I originally wanted to do was to filter the advertised default route coming from OSPF on PIX inside, but still allow that to propogate into EIGRP. I tried this on RTC with:

access-list 1 deny 0.0.0.0

access-list 1 permit any

router eigrp 50

distribute-list 1 in

But the default route redistributed from OSPF still injected into RTC.

sundar.palaniappan · ‎09-06-2006

You could filter the OSPF default route from entering the routing table. You applied the distribute list under the EIGRP process as per the above post and that's why it didn't work.

If you filter the OSPF default and add a static default route to point to the ISP then you need PBR to force the traffic from the LAN and off-sites to go to the inside (e0/0) interface of the PIX for it to apply the security policies and NAT rules. On RTC, you would also need PBR on the WAN interface to the ISP to force all traffic from the Internet to go to the outside interface (e0/1) of the PIX.

mmorris11 · ‎09-06-2006

Ok well it sounds like I am on the right track then. Thanks for the input.

mmorris11 · ‎09-06-2006

Here are the visio elements.. two more remaining..