PIX With OSPF and Policy Routing

Unanswered Question
Aug 22nd, 2006
User Badges:

Hi,

I have the following topology, a Pix 515E with two ISP connection (2 outside interfaces) and this PIX will run OSPF and generate a defaul route.

When I configured the OSPF all connections coming from the Outside2 couldn't reach the DMZ, but all Outside1 and Inside traffic worked fine.

The configuration is something like this


route-map outside2 permit 10

set ip next-hop 200.200.60.49

match interface outside2

routing interface inside

ospf priority 0

ospf message-digest-key 1 md5 Bvotorantim

ospf authentication message-digest

router ospf 1

network 10.47.0.0 255.255.0.0 area 10 (Inside Interface)

network 192.168.201.0 255.255.255.0 area 10 (DMZ)

log-adj-changes

default-information originate always metric-type 1

route outside 0.0.0.0 0.0.0.0 200.200.55.89 1

route outside2 0.0.0.0 0.0.0.0 200.200.60.49 2

route outside2 200.125.125.51 255.255.255.255 200.200.60.49 1

route outside2 200.125.125.200 255.255.255.255 200.200.60.49 1

route outside2 200.125.125.201 255.255.255.255 200.200.60.49 1

route outside2 200.125.125.202 255.255.255.255 200.200.60.49 1

route outside2 200.125.125.203 255.255.255.255 200.200.60.49 1

route outside2 200.125.125.204 255.255.255.255 200.200.60.49 1

route outside2 200.125.125.207 255.255.255.255 200.200.60.49 1


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
grant.maynard Tue, 08/22/2006 - 13:45
User Badges:
  • Silver, 250 points or more

I don't think there's enough of the config there for us to see why it doesn't work.

You don't seem to have any OSPF on outside1 or outside2.

what is your NAT like?


your route-map looks very suspect if that's all there is. I'd expect it to be like this:

route-map outside2 permit 10

match addres [acl_name]

set ip next-hop 200.200.60.49

grant.maynard Wed, 08/23/2006 - 08:21
User Badges:
  • Silver, 250 points or more

it's still not that easy to see what you're trying to do. I don't think it's anything to do with OSPF because you're not using that on either outside interface. This is just about policy and static routing. It think you want to use the two outsides as two ISP links, but that is not going to work.

For example look at these two NATs:

static (dmz201,outside2) 200.125.125.194 192.168.201.85 netmask 255.255.255.255 0 0

static (dmz201,outside) 200.125.125.177 192.168.201.85 netmask 255.255.255.255 0 0


This means a dmz server is translated to one address on outside1, and another on outside2.

But when a packet from the dmz server hits the PIX, the PIX must decide which interface to send it to, based on the destination in the packet. The NAT happens later, as it leaves the PIX. So your policy routing must be based on what subnets should be routed via which interface. And that's just static routing, no policy routing required, although maybe you could do it by tcp/udp port.

So, can you just add static routes out the two interfaces?

Actions

This Discussion