PIX 525, I think I need Policy-based routing??

the picture: PIX has one External interface to the ISP

PIX has one Inside interface to the network

PIX has 3rd interface direct to the network core

What I've been asked to do: (Don't blame me for the current setup, I would have set the ISP connection up as a trunk with VPN on a different VLAN if I had been involved in building this).

VPN users coming in via the ISP need to be routed to the 3rd interface, so that their internet-connection attempts can be routed via the web-filtering thingie, before coming back to the PIX on the Inside interface. At this stage, traffic that is Source:VPN_Subnets/Dest:Internet BUT coming in on Inside interface, needs to just use the normal default route.

I haven't played with PIXs much, and I would never set this up this way in the first place (had I been asked) but apparently they are no longer talking to their ISP, or willing to change anything else, so I'm stuck crossing my fingers that PBR can do this.

Can it?

If so, can you give me some rough (or even detailed!) hints?

Reply to
Arthur Brain
Loading thread data ...

You can't do Policy Based Routing on a PIX, not even in PIX 7.x.

What you -might- be able to do with PIX 7.x is use "security contexts". I haven't looked at those, so I don't know what the limitations are. I wouldn't be surprised, though, if any one interface could only be part of one security context: if that were the case then you'd probably need to use at least one VLAN interface... but likely that VLAN would end up being on the outside interface, which would Not Be Good for your situation.

Reply to
Walter Roberson

Why not forcing them through a proxy, having them inwards and back outwards on the inside interface?



Reply to
Frank Winkler

Some of the limitations of multi context are:

1, No VPN. 2, No OSPF (or RIP). Statics only 3, No Multicast. 4, No ISP redundancy configuration. This I cannot find documented anywhere but spent days with TAC on it, they couldn't get it to work either. There is still a case open on this, going on 4 months now....develpors are involved at this point.

You can have the same interface on multiple contexts, IE a single internal interface X.X.X.X used, it's refered to as a shared interrface. When using a shared interface it relies on the static NATs as the classifier to tell the ASA/Pix/FWSM which context to deleiver the traffic thru. When using a shared interface you cannot use NAT 0 lists because of the way the classifier works.

Here's a decent link on multiple context on 7.2

formatting link

Reply to
Brian V

Presumably, when I present them with the solution for doing it on the PIX, which looks like it will work by enabling security contexts, segregating traffic by destination address (only the VPN-source traffic will have external addresses on it AND come through the external PIX interface), and using up an extra interface to route that traffic inside of their web-filtering thingie, they will decide there is an easier way of doing it.

Reply to
Arthur Brain

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.