Policy-based routing and Firewalls

Unanswered Question
Jan 24th, 2008
User Badges:


can anybody tell me how i can get PBR to work when i have a PIX Firewall along the data path to my defined next-hop router.

I have 2 Firewalls with external facing interfaces on the Internet. I want to route packets from a host located on the dmz of PIX-1 to hosts on the internet via PIX-2.

However the moment the packets from the host hit the dmz interface on PIX-1, they get re-routed to the Internet via its outside interface, which is not the path i want it to use.

Before hitting the dmz interface of PIX-1 it hits a L3 switch that has the PBR configs that define PIX-2 as its next hop.

I know PBR cant be configured with PIX firewalls, but how can i get it to work when i have a PIX in its data path.

I also have OSPF running internally on the network, and the default route to the internet is via PIX-1.

See attached diagram for logical layout and data flow

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 01/24/2008 - 03:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Mark

As you rightly point out the pix cannot do PBR. So it makes no difference what you put on the L3 switch as the traffic will always end up at Pix-1 because that is it's default gateway.

The most obvious solution is just to change the default-gateway on your host to be pix 2 - would this cause other problems ?


marksenteza Thu, 01/24/2008 - 03:25
User Badges:

It would sort alot more problems than it would solve Jon.

Am thinking of having the box changed to an internal IP, instead of an IP on the "DMZ". That way its default gateway would be different, and i could force it to by-pass PIX-1 and have PBR route its packets via PIX-2.

PIX-2 would also enforce its access policies for the hosts traffic public-outbound etc.

Thanks Jon


This Discussion