From: Rik Guyler (rik@guyler.net)
Date: Wed Jan 21 2004 - 22:30:58 GMT-3
Hmmm...I've never been able to add more than a single default route to a
PIX. It has always grumbled about that. ;-}
What about putting a router on the inside running PBR, making it the
default gateway for the network and then setting up a second PIX?
-----Original Message-----
From: Richard Danu [mailto:rdanu@apex3.com]
Sent: Tuesday, January 20, 2004 11:40 PM
To: 'Kenneth Wygand'; ccielab@groupstudy.com
Subject: RE: Policy Route w/ Pix 515 ?
I would try running an Ethernet segment in between ISP routers, and
another to the pix; This way you can run HSRP on the segments on
communicating with the PIX. Once the packet reaches the active HSRP
router, you can use some policy based routing to forward packets out the
Serial to the 1st ISP and packets out the Ethernet to the other Router,
which can also use some policy routing to send packets out the serial to
the other ISP.(not back to router A!) This can load balance outbound.
I would guess you could even use NAT on routers to map each of the ISP's
private class on each router, as you see fit. You may use DNS to load
balance in round robin fashion inbound traffic to your services (smtp,
dns, www, ftp, etc.) Use the PIX as a filtering device only. There are
ways to get creative with this model.
isp1 isp2
| |
| |
(A)----------(B)
| |
--------------
|
(PIX)
|
Richard Danu
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Kenneth Wygand
Sent: Tuesday, January 20, 2004 9:18 PM
To: ccielab@groupstudy.com
Subject: Policy Route w/ Pix 515 ?
Hello all,
Does anyone know if IP Policy can be implemented on a Pix to set a
next-hop IP address based on SOURCE IP address (as opposed to the way
"regular" routing works based on DESTINATION IP address).
Here's my situation - I have a Pix 515 connected to two ISP routers,
each connected to a full T1 Internet circuit (through a dumb switch on
the Pix outside interface). I would like to load balance (or load
share) across the T1's, but I don't think this can be done without a
Content Smart Switch or 3rd party device (Radware link-proof, etc).
I've looked into GLBP but it won't work due to the fact that there's
only a single client (Pix 515) on the segment, so the way GLBP
distributes ghost MAC addresses in a round-robin fashion will not work.
My only thought at the moment is to implement two HSRP groups with
Virtual IP address 1 using R1 and the primary and R2 as the backup and
Virtual IP address 2 using R2 as the primary and R1 as the backup. I'm
guessing I can install two static default routes in the Pix to implement
flow-based load "sharing" across the HSRP groups.
Ideally, however, I might want to set a specific internal LAN segment to
use one of the HSRP groups and have another internal LAN segment to use
the other group. I would have to use some kind of source-based
distinction then on the Pix, but I've been told that since the pix is
essentially a "translation device" and not a "router", that it cannot
implement "IP Policy".
Any suggestions on how this can be done?
Thanks in advance!
Ken
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:48 GMT-3