[c-nsp] PIX and C5RSM

Sean Granger sgranger at randfinancial.com
Sat Mar 26 20:46:07 EST 2005


Scenario =

PIX with 3 interfaces: Inside, Outside and DMZ.

2 VLAN-Ints on C5RSM:
VLAN10 - Inside gateway, redirection for the segment.
VLAN11 - Connects to PIX Inside interface.

Everything is working as should be expected.
In order for Inside hosts to reach the Outside or DMZ, they are forced through the PIX.
And vice versa. Standard issue stuff.

There is another standalone router [a seriously underutilized 7204VXR(!!)] in the DMZ segment ...
Used for? You guessed it, redirection (have to love the PIX).
This is an utter waste of (nice) routing equipment and I'd like to change it.

Problem:

The simplest explanation of how I'd like to redesign it would be as follows:

2 MORE VLAN-Ints on C5RSM:
VLAN 20 - DMZ gateway, redirection for the segment.
VLAN 21 - Connects to PIX DMZ Interface.

However, if I bring the segment facing the protected hosts into the C5RSM, it will always prefer the directly connected route and switch across the VLANs.

Traffic between the VLANs 10 and 20 will never be firewalled and the PIX will only be used to/from the Outside. Bad, bad, bad.

Thus, I'm looking for some novel ideas on how to FORCE the traffic through the PIX.
I can't think of any way to effectively change the connected route's cost.
This doesn't seem like an overly complicated setup (I doubt people are wasting routers for PIX installs and/or using host route entries) and I feel like I'm just missing something in the visualization process.

Any advice greatly appreciated.

Regards,
Sean




More information about the cisco-nsp mailing list