cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
270
Views
0
Helpful
2
Replies

Policy-based routing and Firewalls

zeu7
Level 1
Level 1

Hello,

can anybody tell me how i can get PBR to work when i have a PIX Firewall along the data path to my defined next-hop router.

I have 2 Firewalls with external facing interfaces on the Internet. I want to route packets from a host located on the dmz of PIX-1 to hosts on the internet via PIX-2.

However the moment the packets from the host hit the dmz interface on PIX-1, they get re-routed to the Internet via its outside interface, which is not the path i want it to use.

Before hitting the dmz interface of PIX-1 it hits a L3 switch that has the PBR configs that define PIX-2 as its next hop.

I know PBR cant be configured with PIX firewalls, but how can i get it to work when i have a PIX in its data path.

I also have OSPF running internally on the network, and the default route to the internet is via PIX-1.

See attached diagram for logical layout and data flow

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

Hi Mark

As you rightly point out the pix cannot do PBR. So it makes no difference what you put on the L3 switch as the traffic will always end up at Pix-1 because that is it's default gateway.

The most obvious solution is just to change the default-gateway on your host to be pix 2 - would this cause other problems ?

Jon

It would sort alot more problems than it would solve Jon.

Am thinking of having the box changed to an internal IP, instead of an IP on the "DMZ". That way its default gateway would be different, and i could force it to by-pass PIX-1 and have PBR route its packets via PIX-2.

PIX-2 would also enforce its access policies for the hosts traffic public-outbound etc.

Thanks Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco