Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Route on PIX 7.0 based on source address

i have 2 hosts inside my network that each need to communicate with a remote network. there are two ways to get to the remote network and each host needs to take a unique path.

Ie, inside the DMZ there is RouterA which leads to 192.168.168.1 and RouterB leads to 192.168.168.1. Inside my PIX there is Host1 and Host2. Host1 needs to go through RouterA and Host2 needs to go through RouterB.

Like this:

host1---\ /---routerA

inside---PIX---DMZ

host2---/ \---routerB

I need to be able to tell the PIX

192.168.168.1/32 => RouterA

ACL 1 host2 IP

Route-Map

match acl 1

set next-hop = RouterB

or someother way to tell the PIX, if source-ip = Host2 the route to 192.168.168.1 = RouterB

Anyone have any ideas?

  • Other Security Subjects
2 REPLIES
New Member

Re: Route on PIX 7.0 based on source address

Didn't see a reply to this for a few days, so thought I would take a stab at it. The PIX does not support source-based routing, but your next hop router probably does. I assume that RouterA and RouterB are on the same LAN segment. If RouterA is your default next hop on the DMZ, policy-based routing could be configured on RouterA to direct all traffic from Host2 destined for 192.168.168.1 to RouterB. I havn't tried this, so would recommend a lab build first. Cisco doc for configuring Policy based routing can be found at:

http://www.cisco.com/en/US/customer/products/ps6350/products_configuration_guide_chapter09186a00800c75d2.html

New Member

Re: Route on PIX 7.0 based on source address

thanks for the suggestion and i think it would probably work. however, part of the problem with my whole scenario is that RouterA and RouterB are not under my control (i have no access to them), hence their location in the DMZ.

i actually did speak with company in question about this week and they have agreed to nat to dmz ips on their respective routers. my host1 and host2 will believe that they are speaking with something in the DMZ when it really is "192.168.1.1" on the other side.

107
Views
0
Helpful
2
Replies
This widget could not be displayed.