PIX Routing Question

tonyp · ‎09-16-2003

I think this is a rather easy question but looking for confirmation.

I have a 515 PIX with a DMZ interface, a LAN interface, an Outside interface out to ISP #1, a second Outside interface out to ISP #2. I want all users to use ISP #2 and all servers to use ISP #1. If I setup all of the users to be given a dynamic NAT address on ISP 2 and make all of the servers a 1-1 NAT from ISP 1, can I then set each outside interface with it's own default route and just use standard IP routing to go out the correct interface? I am thinking yes but was looking for some thoughts.

gfullage · ‎09-16-2003

Actually this probably won't work. When a packet comes in from an inside host, the PIX checks the destination address and then looks in its routing table to see what interface it should go out. Once that is determined it checks for statics associated with the incoming and outgoing interfaces, or a nat/global pair for the same.

If you have two default routes (which is not supported), the PIX isn't going to know which one to use, and therefore may not use the static or nat/global you think it will.

mklaphek · ‎09-17-2003

You need a real router for that. You could put a router to connect to the ISP's and use policy routing (route maps) to do what you need.