PIX With OSPF and Policy Routing

Unanswered Question
Aug 22nd, 2006
User Badges:


I have the following topology, a Pix 515E with two ISP connection (2 outside interfaces) and this PIX will run OSPF and generate a defaul route.

When I configured the OSPF all connections coming from the Outside2 couldn't reach the DMZ, but all Outside1 and Inside traffic worked fine.

The configuration is something like this

route-map outside2 permit 10

set ip next-hop

match interface outside2

routing interface inside

ospf priority 0

ospf message-digest-key 1 md5 Bvotorantim

ospf authentication message-digest

router ospf 1

network area 10 (Inside Interface)

network area 10 (DMZ)


default-information originate always metric-type 1

route outside 1

route outside2 2

route outside2 1

route outside2 1

route outside2 1

route outside2 1

route outside2 1

route outside2 1

route outside2 1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
grant.maynard Tue, 08/22/2006 - 13:45
User Badges:
  • Silver, 250 points or more

I don't think there's enough of the config there for us to see why it doesn't work.

You don't seem to have any OSPF on outside1 or outside2.

what is your NAT like?

your route-map looks very suspect if that's all there is. I'd expect it to be like this:

route-map outside2 permit 10

match addres [acl_name]

set ip next-hop

grant.maynard Wed, 08/23/2006 - 08:21
User Badges:
  • Silver, 250 points or more

it's still not that easy to see what you're trying to do. I don't think it's anything to do with OSPF because you're not using that on either outside interface. This is just about policy and static routing. It think you want to use the two outsides as two ISP links, but that is not going to work.

For example look at these two NATs:

static (dmz201,outside2) netmask 0 0

static (dmz201,outside) netmask 0 0

This means a dmz server is translated to one address on outside1, and another on outside2.

But when a packet from the dmz server hits the PIX, the PIX must decide which interface to send it to, based on the destination in the packet. The NAT happens later, as it leaves the PIX. So your policy routing must be based on what subnets should be routed via which interface. And that's just static routing, no policy routing required, although maybe you could do it by tcp/udp port.

So, can you just add static routes out the two interfaces?


This Discussion