[c-nsp] PIX and C5RSM

drobinson drobinson at netfabric.net
Sun Mar 27 06:28:22 EST 2005 

Guys -

Quick one.. do you know of any good PIX mailing lists? 

Thanks,

Dave

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sean Granger
Sent: 27 March 2005 02:46
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] PIX and C5RSM

Scenario =

PIX with 3 interfaces: Inside, Outside and DMZ.

2 VLAN-Ints on C5RSM:
VLAN10 - Inside gateway, redirection for the segment.
VLAN11 - Connects to PIX Inside interface.

Everything is working as should be expected.
In order for Inside hosts to reach the Outside or DMZ, they are forced
through the PIX.
And vice versa. Standard issue stuff.

There is another standalone router [a seriously underutilized 7204VXR(!!)]
in the DMZ segment ...
Used for? You guessed it, redirection (have to love the PIX).
This is an utter waste of (nice) routing equipment and I'd like to change
it.

Problem:

The simplest explanation of how I'd like to redesign it would be as follows:

2 MORE VLAN-Ints on C5RSM:
VLAN 20 - DMZ gateway, redirection for the segment.
VLAN 21 - Connects to PIX DMZ Interface.

However, if I bring the segment facing the protected hosts into the C5RSM,
it will always prefer the directly connected route and switch across the
VLANs.

Traffic between the VLANs 10 and 20 will never be firewalled and the PIX
will only be used to/from the Outside. Bad, bad, bad.

Thus, I'm looking for some novel ideas on how to FORCE the traffic through
the PIX.
I can't think of any way to effectively change the connected route's cost.
This doesn't seem like an overly complicated setup (I doubt people are
wasting routers for PIX installs and/or using host route entries) and I feel
like I'm just missing something in the visualization process.

Any advice greatly appreciated.

Regards,
Sean


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list