Nope, there currently is no support for source routing on the PIX. This is something we are looking at for upcoming releases but nothing at this time. What exactly are you trying to accomplish? Perhaps we can find another solution?
6.2 and greater PIX code supports bi-directional NAT so you can achieve the above if you want to. However, I don't understand your reasoning for wanting this very well. How does having all traffic look like it's coming from the firewall assist in routing?
I see I am responding to this post a while since the last message.
I do have a need for source-routing on the PIX, or a very intelligent work around.
Here's the situation:
I have a VPN Concentrator that accepts connections from different logical groups. One belongs to our business unit, and the othe is all the other business units of our parent company, connected via a WAN. I differentiate between these two groups by the IP address pools the VPN Concentrator issues to a user based on their profile.
The "private" interface of the Concentrator feeds back into the firewall. This way we can route the users to their appropriate destinations. Everything thus far worked well.
Here's the fun part. One group gets to go out to the Internet directly through the PIX, which works well. There is a default route pointed out to our border routers, which forward to the ISP. The other group needs to be sent to the WAN (hanging off another PIX interface) for their Internet access.
When the traffic is fed back into the firewall, the PIX wants to route them out its outside interface, regardless of which logical group they belong to.
If I could source-route, then based on an ACL, I could route these blocks of addresses where I want to for their default route.
Does this make sense? Is there a work-around? Am I crazy and should figure out a better way to set this up?
Unfortunately, there is no solution to this problem using the equipment that you have. The PIX is a security device and therefore, does not have a lot of the L3 routing features that an IOS device has. One of which is source routing which the PIX does not do currently do and as far as I know, there are no plans to add support for source routing on the PIX in the future either. You will need to add an IOS device into this design in order to accomplish your goals. I would suggest adding it something like this:
inside----PIX----new L3 device----internet router
(hope that comes out OK)
The new L3 device would make the source routing decisions based on the source address of the packets it receives from the PIX (you will probably want to use a nat 0 ACL in order to preserve the source address assigned by your concentrator).
What you described is what I already had called "Plan B" if source-routing on the PIX was not a possibility, which I suspected would be the case. I understand the PIX's routing limitations, and often have to work around them. Thanks for your feedback.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :