RE: Pix don't route [7:46356]
That assumes that he has an address space to announce via BGP, which I he did not mention so I assumed he did not have one. Without your own address space, BGP isn't going to do anything for you. Yes, if the T1 goes down, the servers would be unreachable, but without your own address space and/or running your own DNS and doing some NAT magic with the replies to DNS queries, you won't be able to give the correct DNS answer. (i.e. return the T1 IP when the T1 is up, return the DSL address when the T1 is down) Since all the replies from the servers would go out the T1, if a query for the server came in the DSL the conversation would break when the server traffic went out the T1 and got translated to the IP address on that interface. This assumes using PAT on each router interface. Obviously, if the OP has his own address space, the scenario changes considerably and there are more options. -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Kaberna Sent: Wednesday, June 12, 2002 3:10 PM To: [EMAIL PROTECTED] Subject: Re: Pix don't route [7:46356] What happens when the T1 provider goes down? Those IP's will no longer be reachable and the servers will be down. Without BGP I don't see how you are going to get the DSL circuit to take over the IP's that the T1 provider advertises. Assuming you have BGP, I would thing that policy routing and using different global addresses would get the job done. Sounds to me like the only barrier is getting BGP. Kent Hundley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Wayne, I would suggest disabling NAT on the PIX and performing your NAT on the router. This eliminates the problem of not knowing what packets originate from the servers. Then, setup Policy-Based Routing (PBR) on the router. You didn't post your config, so I assume you have 2 legal addresses, one from each ISP and you don't have your own address space. If you want to setup inbound services you'll have to setup static NAT on the router for the services you want to allow. For outbound the PBR it's pretty simple: int s 0 interface to T1 int e 0 interface to DSL int ip policy route-map test access-list 100 any route-map test permit 10 match ip address 100 set int s 0 route-map test permit 20 For outbound traffic packets from the servers will be sent out the T1 as long as it is up, all other traffic will be forwarded normally. You'll want to set your routing so that the DSL line is the preferred path for all traffic. If the T1 goes down, the traffic from the servers will be sent out the DSL. Additional problems that I see are if your servers are to be accessible from the Internet, you will need to have static translations setup for your services on both the T1 and the DSL. You can do this, but the issue becomes name resolution and which address is returned to users on the Internet. It's probably safer to just setup the translations for the T1 and leave it at that. (you could play some games if you ran your own DNS, but things get complicated pretty quickly) You don't need the FFS on the router as long as everything is behind the PIX (although it shouldn't hurt) and you don't need the link between the router and the PIX to be have a public address space as long as you do the NAT on the router. Of course, you also will want to harden the Internet facing router if you have not already done so. One more thing, it's not really accurate to say the PIX doesn't route. People say this all the time and what they really mean is that the PIX doesn't support routing protocols and some fancy routing techniques like PBR. However, the PIX does perform layer 3 forwarding based on its routing table, this means, by definition, it is routing. It just doesn't have the same features and functions for layer 3 forwarding that cisco routers have. (this is kind of a nit, but saying the PIX doesn't route tends to confuse people) HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Wayne Jang Sent: Wednesday, June 12, 2002 10:10 AM To: [EMAIL PROTECTED] Subject: Pix don't route [7:46356] Hi, The Pix don't route, but can I do this? I have a 2 server 20 user small office. I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the Internet. I'm not looking to load balance or even do redundancy. I just want traffic from the servers to use the T1 and I want traffic from the users to use DSL. I could use access-lists on the 2621 to direct the traffic based on source address, but how will the 2621 know where the traffic came from? Won't all traffic have a source address of the Pix outside interface? What if I Nat the servers(on PIx) so that they will appear to have a different source IP than the users who will be behind the global outside address? I'll need more public addresses, but that would
RE: Pix don't route [7:46356]
Wayne, Why not use the router to terminate the links, and put the PIX behind the router? The PIX will inspect the traffic, and the router can send traffic to different links depending on where it originated from. Usually a 515 may be a better solution because it has a DMZ interface where the server can sit on, but I guess there is a cost concern. Alex Wayne Jang wrote: Hi, The Pix don't route, but can I do this? I have a 2 server 20 user small office. I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the Internet. I'm not looking to load balance or even do redundancy. I just want traffic from the servers to use the T1 and I want traffic from the users to use DSL. I could use access-lists on the 2621 to direct the traffic based on source address, but how will the 2621 know where the traffic came from? Won't all traffic have a source address of the Pix outside interface? What if I Nat the servers(on PIx) so that they will appear to have a different source IP than the users who will be behind the global outside address? I'll need more public addresses, but that would be fine. I can't get any help from Cisco Pre-Sales because they aren't sure. I can't get an engineer that knows more than me (not much). My fall back plan is to only use the 2621 and have a firewall IOS. But I would rather use the Pix, especially because we have already quoted the above solution and are working to save face. Thanks -- Wayne Jang Advanced Computer Technologies, Inc. 108 Main Street Norwalk, CT 06851 Wk 203-847-9433 Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46358t=46356 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix don't route [7:46356]
I guess I have to plan on using BGP. But can I get away without using BGP? I did plan on bringing both DSL and T1 into the 2621, I ment to say that the pix is behind(on the inside). Thanks Alex Lei wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Wayne, Why not use the router to terminate the links, and put the PIX behind the router? The PIX will inspect the traffic, and the router can send traffic to different links depending on where it originated from. Usually a 515 may be a better solution because it has a DMZ interface where the server can sit on, but I guess there is a cost concern. Alex Wayne Jang wrote: Hi, The Pix don't route, but can I do this? I have a 2 server 20 user small office. I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the Internet. I'm not looking to load balance or even do redundancy. I just want traffic from the servers to use the T1 and I want traffic from the users to use DSL. I could use access-lists on the 2621 to direct the traffic based on source address, but how will the 2621 know where the traffic came from? Won't all traffic have a source address of the Pix outside interface? What if I Nat the servers(on PIx) so that they will appear to have a different source IP than the users who will be behind the global outside address? I'll need more public addresses, but that would be fine. I can't get any help from Cisco Pre-Sales because they aren't sure. I can't get an engineer that knows more than me (not much). My fall back plan is to only use the 2621 and have a firewall IOS. But I would rather use the Pix, especially because we have already quoted the above solution and are working to save face. Thanks -- Wayne Jang Advanced Computer Technologies, Inc. 108 Main Street Norwalk, CT 06851 Wk 203-847-9433 Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46360t=46356 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix don't route [7:46356]
You should be able to do exactly what you said as long as you have at least 2 public IP addresses. Use one for the interface and all regular users and use the other IP for the two servers. Create two different nat and global pairs. John Kaberna CCIE #7146 (R/S, Security) NETCG Inc. www.netcginc.com (415) 750-3800 Instructor for CCIE R/S and Security 5-day class www.ccbootcamp.com Wayne Jang wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, The Pix don't route, but can I do this? I have a 2 server 20 user small office. I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the Internet. I'm not looking to load balance or even do redundancy. I just want traffic from the servers to use the T1 and I want traffic from the users to use DSL. I could use access-lists on the 2621 to direct the traffic based on source address, but how will the 2621 know where the traffic came from? Won't all traffic have a source address of the Pix outside interface? What if I Nat the servers(on PIx) so that they will appear to have a different source IP than the users who will be behind the global outside address? I'll need more public addresses, but that would be fine. I can't get any help from Cisco Pre-Sales because they aren't sure. I can't get an engineer that knows more than me (not much). My fall back plan is to only use the 2621 and have a firewall IOS. But I would rather use the Pix, especially because we have already quoted the above solution and are working to save face. Thanks -- Wayne Jang Advanced Computer Technologies, Inc. 108 Main Street Norwalk, CT 06851 Wk 203-847-9433 Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46357t=46356 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix don't route [7:46356]
You can't do it with the equipment you originally mentioned. You could, however, put in two PIX 506, one on each ethernet interface of the 2621, and use policy routing on the 2621 to handle the traffic to the two providers. Not the most elegant solution, but it would work. I see no reason to bring BGP into this. Do you really need two circuits? Have you graphed traffic to establish utilization metrics to verify whether a single T1 will suffice? At 02:30 PM 6/12/2002 -0400, you wrote: I guess I have to plan on using BGP. But can I get away without using BGP? I did plan on bringing both DSL and T1 into the 2621, I ment to say that the pix is behind(on the inside). Thanks Alex Lei wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Wayne, Why not use the router to terminate the links, and put the PIX behind the router? The PIX will inspect the traffic, and the router can send traffic to different links depending on where it originated from. Usually a 515 may be a better solution because it has a DMZ interface where the server can sit on, but I guess there is a cost concern. Alex Wayne Jang wrote: Hi, The Pix don't route, but can I do this? I have a 2 server 20 user small office. I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the Internet. I'm not looking to load balance or even do redundancy. I just want traffic from the servers to use the T1 and I want traffic from the users to use DSL. I could use access-lists on the 2621 to direct the traffic based on source address, but how will the 2621 know where the traffic came from? Won't all traffic have a source address of the Pix outside interface? What if I Nat the servers(on PIx) so that they will appear to have a different source IP than the users who will be behind the global outside address? I'll need more public addresses, but that would be fine. I can't get any help from Cisco Pre-Sales because they aren't sure. I can't get an engineer that knows more than me (not much). My fall back plan is to only use the 2621 and have a firewall IOS. But I would rather use the Pix, especially because we have already quoted the above solution and are working to save face. Thanks -- Wayne Jang Advanced Computer Technologies, Inc. 108 Main Street Norwalk, CT 06851 Wk 203-847-9433 Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46361t=46356 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix don't route [7:46356]
Well, if you don't want to use BGP, there is a device that performs this function perfectly. The only problem is that it costs a pretty penny. Since you already budgeted the project, it looks like it might be out of the scope. But, just to give you a heads up, here is a link to it. http://www.radware.com/content/products/link.asp -Original Message- From: Wayne Jang [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 2:31 PM To: [EMAIL PROTECTED] Subject: Re: Pix don't route [7:46356] I guess I have to plan on using BGP. But can I get away without using BGP? I did plan on bringing both DSL and T1 into the 2621, I ment to say that the pix is behind(on the inside). Thanks Alex Lei wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Wayne, Why not use the router to terminate the links, and put the PIX behind the router? The PIX will inspect the traffic, and the router can send traffic to different links depending on where it originated from. Usually a 515 may be a better solution because it has a DMZ interface where the server can sit on, but I guess there is a cost concern. Alex Wayne Jang wrote: Hi, The Pix don't route, but can I do this? I have a 2 server 20 user small office. I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the Internet. I'm not looking to load balance or even do redundancy. I just want traffic from the servers to use the T1 and I want traffic from the users to use DSL. I could use access-lists on the 2621 to direct the traffic based on source address, but how will the 2621 know where the traffic came from? Won't all traffic have a source address of the Pix outside interface? What if I Nat the servers(on PIx) so that they will appear to have a different source IP than the users who will be behind the global outside address? I'll need more public addresses, but that would be fine. I can't get any help from Cisco Pre-Sales because they aren't sure. I can't get an engineer that knows more than me (not much). My fall back plan is to only use the 2621 and have a firewall IOS. But I would rather use the Pix, especially because we have already quoted the above solution and are working to save face. Thanks -- Wayne Jang Advanced Computer Technologies, Inc. 108 Main Street Norwalk, CT 06851 Wk 203-847-9433 Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46362t=46356 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix don't route [7:46356]
Wayne, You have to put the PIX behind the router, as the PIX does not have T1 interfaces...just LAN interface. UNFORTUNATELY.AND I REALLY HATE TO SAY THISBUT...this sounds like a good application for RADware's LinkProof. You would plug your router and DSL into this device and it will select the best route for traffic...granted you will get assymnetrical traffic patterns with this...but it will do what you are looking for...then put the PIX behind the LinkProof box. FYI...I am not slamming RADware but I try to make Cisco solutions fit first when applicable and I compete a lot against other RADware products. Sincerely, Patrick J Greene -Original Message- From: Wayne Jang [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 1:10 PM To: [EMAIL PROTECTED] Subject: Pix don't route [7:46356] Hi, The Pix don't route, but can I do this? I have a 2 server 20 user small office. I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the Internet. I'm not looking to load balance or even do redundancy. I just want traffic from the servers to use the T1 and I want traffic from the users to use DSL. I could use access-lists on the 2621 to direct the traffic based on source address, but how will the 2621 know where the traffic came from? Won't all traffic have a source address of the Pix outside interface? What if I Nat the servers(on PIx) so that they will appear to have a different source IP than the users who will be behind the global outside address? I'll need more public addresses, but that would be fine. I can't get any help from Cisco Pre-Sales because they aren't sure. I can't get an engineer that knows more than me (not much). My fall back plan is to only use the 2621 and have a firewall IOS. But I would rather use the Pix, especially because we have already quoted the above solution and are working to save face. Thanks -- Wayne Jang Advanced Computer Technologies, Inc. 108 Main Street Norwalk, CT 06851 Wk 203-847-9433 Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46364t=46356 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix don't route [7:46356]
I deal with this type of thing all the time since almost all of my clients are small businesses. The usual reason the small customer wants two connections because they've gone with the least cost ISP in the past and have been burned by extended outages (anyone remember Bluestar?). You only need BGP if each of your providers is advertising the same net block. If the servers are only using the T1, the clients are only using the DSL connection, and there is no load balance or failover, then there's no point in BGP. Each ISP is going to route the public IP addresses they assigned to you to the 2621. Policy routing would then dictate traffic flow. For example, you could assign all traffic with origin 172.16.1.0/24 an ip next hop of ISP A, and all traffic with origin 172.16.2.0/24 an ip next hop of ISP B. At 03:11 PM 6/12/2002 -0400, you wrote: No on the traffic utilization graphing. The customer just wants to have two completely unrelated circuits to the Internet. I wouldn't need BGP if I was making one of ther servers(FTP) available to the outside world? -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 3:11 PM To: Wayne Jang Cc: [EMAIL PROTECTED] Subject: Re: Pix don't route [7:46356] You can't do it with the equipment you originally mentioned. You could, however, put in two PIX 506, one on each ethernet interface of the 2621, and use policy routing on the 2621 to handle the traffic to the two providers. Not the most elegant solution, but it would work. I see no reason to bring BGP into this. Do you really need two circuits? Have you graphed traffic to establish utilization metrics to verify whether a single T1 will suffice? At 02:30 PM 6/12/2002 -0400, you wrote: I guess I have to plan on using BGP. But can I get away without using BGP? I did plan on bringing both DSL and T1 into the 2621, I ment to say that the pix is behind(on the inside). Thanks Alex Lei wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Wayne, Why not use the router to terminate the links, and put the PIX behind the router? The PIX will inspect the traffic, and the router can send traffic to different links depending on where it originated from. Usually a 515 may be a better solution because it has a DMZ interface where the server can sit on, but I guess there is a cost concern. Alex Wayne Jang wrote: Hi, The Pix don't route, but can I do this? I have a 2 server 20 user small office. I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the Internet. I'm not looking to load balance or even do redundancy. I just want traffic from the servers to use the T1 and I want traffic from the users to use DSL. I could use access-lists on the 2621 to direct the traffic based on source address, but how will the 2621 know where the traffic came from? Won't all traffic have a source address of the Pix outside interface? What if I Nat the servers(on PIx) so that they will appear to have a different source IP than the users who will be behind the global outside address? I'll need more public addresses, but that would be fine. I can't get any help from Cisco Pre-Sales because they aren't sure. I can't get an engineer that knows more than me (not much). My fall back plan is to only use the 2621 and have a firewall IOS. But I would rather use the Pix, especially because we have already quoted the above solution and are working to save face. Thanks -- Wayne Jang Advanced Computer Technologies, Inc. 108 Main Street Norwalk, CT 06851 Wk 203-847-9433 Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46365t=46356 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix don't route [7:46356]
Wayne, I would suggest disabling NAT on the PIX and performing your NAT on the router. This eliminates the problem of not knowing what packets originate from the servers. Then, setup Policy-Based Routing (PBR) on the router. You didn't post your config, so I assume you have 2 legal addresses, one from each ISP and you don't have your own address space. If you want to setup inbound services you'll have to setup static NAT on the router for the services you want to allow. For outbound the PBR it's pretty simple: int s 0 interface to T1 int e 0 interface to DSL int ip policy route-map test access-list 100 any route-map test permit 10 match ip address 100 set int s 0 route-map test permit 20 For outbound traffic packets from the servers will be sent out the T1 as long as it is up, all other traffic will be forwarded normally. You'll want to set your routing so that the DSL line is the preferred path for all traffic. If the T1 goes down, the traffic from the servers will be sent out the DSL. Additional problems that I see are if your servers are to be accessible from the Internet, you will need to have static translations setup for your services on both the T1 and the DSL. You can do this, but the issue becomes name resolution and which address is returned to users on the Internet. It's probably safer to just setup the translations for the T1 and leave it at that. (you could play some games if you ran your own DNS, but things get complicated pretty quickly) You don't need the FFS on the router as long as everything is behind the PIX (although it shouldn't hurt) and you don't need the link between the router and the PIX to be have a public address space as long as you do the NAT on the router. Of course, you also will want to harden the Internet facing router if you have not already done so. One more thing, it's not really accurate to say the PIX doesn't route. People say this all the time and what they really mean is that the PIX doesn't support routing protocols and some fancy routing techniques like PBR. However, the PIX does perform layer 3 forwarding based on its routing table, this means, by definition, it is routing. It just doesn't have the same features and functions for layer 3 forwarding that cisco routers have. (this is kind of a nit, but saying the PIX doesn't route tends to confuse people) HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Wayne Jang Sent: Wednesday, June 12, 2002 10:10 AM To: [EMAIL PROTECTED] Subject: Pix don't route [7:46356] Hi, The Pix don't route, but can I do this? I have a 2 server 20 user small office. I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the Internet. I'm not looking to load balance or even do redundancy. I just want traffic from the servers to use the T1 and I want traffic from the users to use DSL. I could use access-lists on the 2621 to direct the traffic based on source address, but how will the 2621 know where the traffic came from? Won't all traffic have a source address of the Pix outside interface? What if I Nat the servers(on PIx) so that they will appear to have a different source IP than the users who will be behind the global outside address? I'll need more public addresses, but that would be fine. I can't get any help from Cisco Pre-Sales because they aren't sure. I can't get an engineer that knows more than me (not much). My fall back plan is to only use the 2621 and have a firewall IOS. But I would rather use the Pix, especially because we have already quoted the above solution and are working to save face. Thanks -- Wayne Jang Advanced Computer Technologies, Inc. 108 Main Street Norwalk, CT 06851 Wk 203-847-9433 Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46366t=46356 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix don't route [7:46356]
Will my router know the origin address of traffic even if my pix sits between. Meaning, will the Pix preserve the origin address. Maybe I can do one to one nat on pix and than do nat for public address on router? If one ISP goes down. I can reconfigure my router and Pix to use just one link. I will also have to tell my ftp users that the ftp servers has a new IP address, assuming the T1 went down. But actually I would need more than just two public address to make FTP server available from outside. Or should I just do a IOS Firewall and bag the 506?? It's not a heavy traffic environment. I also need to have my users and servers on the same subnet, some workstations and all servers will have gigabyte nics for fast transfer between imaging workstations and FTP server. Craig Columbus wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I deal with this type of thing all the time since almost all of my clients are small businesses. The usual reason the small customer wants two connections because they've gone with the least cost ISP in the past and have been burned by extended outages (anyone remember Bluestar?). You only need BGP if each of your providers is advertising the same net block. If the servers are only using the T1, the clients are only using the DSL connection, and there is no load balance or failover, then there's no point in BGP. Each ISP is going to route the public IP addresses they assigned to you to the 2621. Policy routing would then dictate traffic flow. For example, you could assign all traffic with origin 172.16.1.0/24 an ip next hop of ISP A, and all traffic with origin 172.16.2.0/24 an ip next hop of ISP B. At 03:11 PM 6/12/2002 -0400, you wrote: No on the traffic utilization graphing. The customer just wants to have two completely unrelated circuits to the Internet. I wouldn't need BGP if I was making one of ther servers(FTP) available to the outside world? -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 3:11 PM To: Wayne Jang Cc: [EMAIL PROTECTED] Subject: Re: Pix don't route [7:46356] You can't do it with the equipment you originally mentioned. You could, however, put in two PIX 506, one on each ethernet interface of the 2621, and use policy routing on the 2621 to handle the traffic to the two providers. Not the most elegant solution, but it would work. I see no reason to bring BGP into this. Do you really need two circuits? Have you graphed traffic to establish utilization metrics to verify whether a single T1 will suffice? At 02:30 PM 6/12/2002 -0400, you wrote: I guess I have to plan on using BGP. But can I get away without using BGP? I did plan on bringing both DSL and T1 into the 2621, I ment to say that the pix is behind(on the inside). Thanks Alex Lei wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Wayne, Why not use the router to terminate the links, and put the PIX behind the router? The PIX will inspect the traffic, and the router can send traffic to different links depending on where it originated from. Usually a 515 may be a better solution because it has a DMZ interface where the server can sit on, but I guess there is a cost concern. Alex Wayne Jang wrote: Hi, The Pix don't route, but can I do this? I have a 2 server 20 user small office. I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the Internet. I'm not looking to load balance or even do redundancy. I just want traffic from the servers to use the T1 and I want traffic from the users to use DSL. I could use access-lists on the 2621 to direct the traffic based on source address, but how will the 2621 know where the traffic came from? Won't all traffic have a source address of the Pix outside interface? What if I Nat the servers(on PIx) so that they will appear to have a different source IP than the users who will be behind the global outside address? I'll need more public addresses, but that would be fine. I can't get any help from Cisco Pre-Sales because they aren't sure. I can't get an engineer that knows more than me (not much). My fall back plan is to only use the 2621 and have a firewall IOS. But I would rather use the Pix, especially because we have already quoted the above solution and are working to save face. Thanks -- Wayne Jang Advanced Computer Technologies, Inc. 108 Main Street Norwalk, CT 06851 Wk 203-847-9433 Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46369t=46356 -- FAQ, list archives, and subscription info: http://ww
Re: Pix don't route [7:46356]
You don't want to get into double-nat if you can at all avoid it. Either NAT on the router or on the PIX, but don't do both. You said in your original post that you didn't want to do redundancy, but in this post you talk about making the server available on either link. Redundancy is a bit harder to achieve than simply making two links work. As Kent said earlier, you could have the PIX perform as a firewall, but not do NAT. The router could then handle NAT and PBR to send traffic down the appropriate pipe. you could then setup DNS to have ftp.company.com resolve to ISPA address (T1) and ftp1.company.com resolve to ISPB address (DSL). In the event of failure, you could instruct clients to try ftp.company.com first and, if it's ever not available, to try ftp1.company.com. At 04:41 PM 6/12/2002 -0400, you wrote: Will my router know the origin address of traffic even if my pix sits between. Meaning, will the Pix preserve the origin address. Maybe I can do one to one nat on pix and than do nat for public address on router? If one ISP goes down. I can reconfigure my router and Pix to use just one link. I will also have to tell my ftp users that the ftp servers has a new IP address, assuming the T1 went down. But actually I would need more than just two public address to make FTP server available from outside. Or should I just do a IOS Firewall and bag the 506?? It's not a heavy traffic environment. I also need to have my users and servers on the same subnet, some workstations and all servers will have gigabyte nics for fast transfer between imaging workstations and FTP server. Craig Columbus wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I deal with this type of thing all the time since almost all of my clients are small businesses. The usual reason the small customer wants two connections because they've gone with the least cost ISP in the past and have been burned by extended outages (anyone remember Bluestar?). You only need BGP if each of your providers is advertising the same net block. If the servers are only using the T1, the clients are only using the DSL connection, and there is no load balance or failover, then there's no point in BGP. Each ISP is going to route the public IP addresses they assigned to you to the 2621. Policy routing would then dictate traffic flow. For example, you could assign all traffic with origin 172.16.1.0/24 an ip next hop of ISP A, and all traffic with origin 172.16.2.0/24 an ip next hop of ISP B. At 03:11 PM 6/12/2002 -0400, you wrote: No on the traffic utilization graphing. The customer just wants to have two completely unrelated circuits to the Internet. I wouldn't need BGP if I was making one of ther servers(FTP) available to the outside world? -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 3:11 PM To: Wayne Jang Cc: [EMAIL PROTECTED] Subject: Re: Pix don't route [7:46356] You can't do it with the equipment you originally mentioned. You could, however, put in two PIX 506, one on each ethernet interface of the 2621, and use policy routing on the 2621 to handle the traffic to the two providers. Not the most elegant solution, but it would work. I see no reason to bring BGP into this. Do you really need two circuits? Have you graphed traffic to establish utilization metrics to verify whether a single T1 will suffice? At 02:30 PM 6/12/2002 -0400, you wrote: I guess I have to plan on using BGP. But can I get away without using BGP? I did plan on bringing both DSL and T1 into the 2621, I ment to say that the pix is behind(on the inside). Thanks Alex Lei wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Wayne, Why not use the router to terminate the links, and put the PIX behind the router? The PIX will inspect the traffic, and the router can send traffic to different links depending on where it originated from. Usually a 515 may be a better solution because it has a DMZ interface where the server can sit on, but I guess there is a cost concern. Alex Wayne Jang wrote: Hi, The Pix don't route, but can I do this? I have a 2 server 20 user small office. I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the Internet. I'm not looking to load balance or even do redundancy. I just want traffic from the servers to use the T1 and I want traffic from the users to use DSL. I could use access-lists on the 2621 to direct the traffic based on source address, but how will the 2621 know where the traffic came from? Won't all traffic have a source address of the Pix outside interface? What if I Nat the se
Re: Pix don't route [7:46356]
What happens when the T1 provider goes down? Those IP's will no longer be reachable and the servers will be down. Without BGP I don't see how you are going to get the DSL circuit to take over the IP's that the T1 provider advertises. Assuming you have BGP, I would thing that policy routing and using different global addresses would get the job done. Sounds to me like the only barrier is getting BGP. Kent Hundley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Wayne, I would suggest disabling NAT on the PIX and performing your NAT on the router. This eliminates the problem of not knowing what packets originate from the servers. Then, setup Policy-Based Routing (PBR) on the router. You didn't post your config, so I assume you have 2 legal addresses, one from each ISP and you don't have your own address space. If you want to setup inbound services you'll have to setup static NAT on the router for the services you want to allow. For outbound the PBR it's pretty simple: int s 0 interface to T1 int e 0 interface to DSL int ip policy route-map test access-list 100 any route-map test permit 10 match ip address 100 set int s 0 route-map test permit 20 For outbound traffic packets from the servers will be sent out the T1 as long as it is up, all other traffic will be forwarded normally. You'll want to set your routing so that the DSL line is the preferred path for all traffic. If the T1 goes down, the traffic from the servers will be sent out the DSL. Additional problems that I see are if your servers are to be accessible from the Internet, you will need to have static translations setup for your services on both the T1 and the DSL. You can do this, but the issue becomes name resolution and which address is returned to users on the Internet. It's probably safer to just setup the translations for the T1 and leave it at that. (you could play some games if you ran your own DNS, but things get complicated pretty quickly) You don't need the FFS on the router as long as everything is behind the PIX (although it shouldn't hurt) and you don't need the link between the router and the PIX to be have a public address space as long as you do the NAT on the router. Of course, you also will want to harden the Internet facing router if you have not already done so. One more thing, it's not really accurate to say the PIX doesn't route. People say this all the time and what they really mean is that the PIX doesn't support routing protocols and some fancy routing techniques like PBR. However, the PIX does perform layer 3 forwarding based on its routing table, this means, by definition, it is routing. It just doesn't have the same features and functions for layer 3 forwarding that cisco routers have. (this is kind of a nit, but saying the PIX doesn't route tends to confuse people) HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Wayne Jang Sent: Wednesday, June 12, 2002 10:10 AM To: [EMAIL PROTECTED] Subject: Pix don't route [7:46356] Hi, The Pix don't route, but can I do this? I have a 2 server 20 user small office. I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the Internet. I'm not looking to load balance or even do redundancy. I just want traffic from the servers to use the T1 and I want traffic from the users to use DSL. I could use access-lists on the 2621 to direct the traffic based on source address, but how will the 2621 know where the traffic came from? Won't all traffic have a source address of the Pix outside interface? What if I Nat the servers(on PIx) so that they will appear to have a different source IP than the users who will be behind the global outside address? I'll need more public addresses, but that would be fine. I can't get any help from Cisco Pre-Sales because they aren't sure. I can't get an engineer that knows more than me (not much). My fall back plan is to only use the 2621 and have a firewall IOS. But I would rather use the Pix, especially because we have already quoted the above solution and are working to save face. Thanks -- Wayne Jang Advanced Computer Technologies, Inc. 108 Main Street Norwalk, CT 06851 Wk 203-847-9433 Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46379t=46356 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix don't route [7:46356]
I failed to make clear that the customer understands that he won't have automatic failover. I also understand that the advertised route will be no good through the DSL provider. However, he will still be able to transfer files if the T1 goes down. Maybe from a workstation or maybe we do some config changes and tell users to ftp to another ip address (by then the T1 ISP will be back up,dah) the ftp and ftp1 DNS entries is a good idea. I am learning something though. This doesn't seem worth all the trouble. Unfortunately the customer is set on it and we've confirmed that it is possible. Dangerous client, he knows just enough to make our life hard, but not enough to understand how unorthodox this is. If anything, this is a good drill for me, and all these posts are not only enlightening, but interesting. Beats the book I'm reading. John Kaberna wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What happens when the T1 provider goes down? Those IP's will no longer be reachable and the servers will be down. Without BGP I don't see how you are going to get the DSL circuit to take over the IP's that the T1 provider advertises. Assuming you have BGP, I would thing that policy routing and using different global addresses would get the job done. Sounds to me like the only barrier is getting BGP. Kent Hundley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Wayne, I would suggest disabling NAT on the PIX and performing your NAT on the router. This eliminates the problem of not knowing what packets originate from the servers. Then, setup Policy-Based Routing (PBR) on the router. You didn't post your config, so I assume you have 2 legal addresses, one from each ISP and you don't have your own address space. If you want to setup inbound services you'll have to setup static NAT on the router for the services you want to allow. For outbound the PBR it's pretty simple: int s 0 interface to T1 int e 0 interface to DSL int ip policy route-map test access-list 100 any route-map test permit 10 match ip address 100 set int s 0 route-map test permit 20 For outbound traffic packets from the servers will be sent out the T1 as long as it is up, all other traffic will be forwarded normally. You'll want to set your routing so that the DSL line is the preferred path for all traffic. If the T1 goes down, the traffic from the servers will be sent out the DSL. Additional problems that I see are if your servers are to be accessible from the Internet, you will need to have static translations setup for your services on both the T1 and the DSL. You can do this, but the issue becomes name resolution and which address is returned to users on the Internet. It's probably safer to just setup the translations for the T1 and leave it at that. (you could play some games if you ran your own DNS, but things get complicated pretty quickly) You don't need the FFS on the router as long as everything is behind the PIX (although it shouldn't hurt) and you don't need the link between the router and the PIX to be have a public address space as long as you do the NAT on the router. Of course, you also will want to harden the Internet facing router if you have not already done so. One more thing, it's not really accurate to say the PIX doesn't route. People say this all the time and what they really mean is that the PIX doesn't support routing protocols and some fancy routing techniques like PBR. However, the PIX does perform layer 3 forwarding based on its routing table, this means, by definition, it is routing. It just doesn't have the same features and functions for layer 3 forwarding that cisco routers have. (this is kind of a nit, but saying the PIX doesn't route tends to confuse people) HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Wayne Jang Sent: Wednesday, June 12, 2002 10:10 AM To: [EMAIL PROTECTED] Subject: Pix don't route [7:46356] Hi, The Pix don't route, but can I do this? I have a 2 server 20 user small office. I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the Internet. I'm not looking to load balance or even do redundancy. I just want traffic from the servers to use the T1 and I want traffic from the users to use DSL. I could use access-lists on the 2621 to direct the traffic based on source address, but how will the 2621 know where the traffic came from? Won't all traffic have a source address of the Pix outside interface? What if I Nat the servers(on PIx) so that they will appear to have a different source IP than the users who will be behind the global outside address? I'll need more public addresses, but that would be fine. I can't get any help from Cisco Pre-Sales because they aren't sure. I can't
Re: Pix don't route [7:46356]
The RADware appliance looks cool, but this guy is done spending money. Greene, Patrick wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Wayne, You have to put the PIX behind the router, as the PIX does not have T1 interfaces...just LAN interface. UNFORTUNATELY.AND I REALLY HATE TO SAY THISBUT...this sounds like a good application for RADware's LinkProof. You would plug your router and DSL into this device and it will select the best route for traffic...granted you will get assymnetrical traffic patterns with this...but it will do what you are looking for...then put the PIX behind the LinkProof box. FYI...I am not slamming RADware but I try to make Cisco solutions fit first when applicable and I compete a lot against other RADware products. Sincerely, Patrick J Greene -Original Message- From: Wayne Jang [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 1:10 PM To: [EMAIL PROTECTED] Subject: Pix don't route [7:46356] Hi, The Pix don't route, but can I do this? I have a 2 server 20 user small office. I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the Internet. I'm not looking to load balance or even do redundancy. I just want traffic from the servers to use the T1 and I want traffic from the users to use DSL. I could use access-lists on the 2621 to direct the traffic based on source address, but how will the 2621 know where the traffic came from? Won't all traffic have a source address of the Pix outside interface? What if I Nat the servers(on PIx) so that they will appear to have a different source IP than the users who will be behind the global outside address? I'll need more public addresses, but that would be fine. I can't get any help from Cisco Pre-Sales because they aren't sure. I can't get an engineer that knows more than me (not much). My fall back plan is to only use the 2621 and have a firewall IOS. But I would rather use the Pix, especially because we have already quoted the above solution and are working to save face. Thanks -- Wayne Jang Advanced Computer Technologies, Inc. 108 Main Street Norwalk, CT 06851 Wk 203-847-9433 Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46386t=46356 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
