Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
297
Views
0
Helpful
3
Replies

PIX With OSPF and Policy Routing

azago
Level 1
Level 1

‎08-22-2006 10:26 AM

Hi,

I have the following topology, a Pix 515E with two ISP connection (2 outside interfaces) and this PIX will run OSPF and generate a defaul route.

When I configured the OSPF all connections coming from the Outside2 couldn't reach the DMZ, but all Outside1 and Inside traffic worked fine.

The configuration is something like this

route-map outside2 permit 10

set ip next-hop 200.200.60.49

match interface outside2

routing interface inside

ospf priority 0

ospf message-digest-key 1 md5 Bvotorantim

ospf authentication message-digest

router ospf 1

network 10.47.0.0 255.255.0.0 area 10 (Inside Interface)

network 192.168.201.0 255.255.255.0 area 10 (DMZ)

log-adj-changes

default-information originate always metric-type 1

route outside 0.0.0.0 0.0.0.0 200.200.55.89 1

route outside2 0.0.0.0 0.0.0.0 200.200.60.49 2

route outside2 200.125.125.51 255.255.255.255 200.200.60.49 1

route outside2 200.125.125.200 255.255.255.255 200.200.60.49 1

route outside2 200.125.125.201 255.255.255.255 200.200.60.49 1

route outside2 200.125.125.202 255.255.255.255 200.200.60.49 1

route outside2 200.125.125.203 255.255.255.255 200.200.60.49 1

route outside2 200.125.125.204 255.255.255.255 200.200.60.49 1

route outside2 200.125.125.207 255.255.255.255 200.200.60.49 1

Labels:
0 Helpful
3 Replies 3

grant.maynard
Level 4
Level 4

‎08-22-2006 01:45 PM

I don't think there's enough of the config there for us to see why it doesn't work.

You don't seem to have any OSPF on outside1 or outside2.

what is your NAT like?

your route-map looks very suspect if that's all there is. I'd expect it to be like this:

route-map outside2 permit 10

match addres [acl_name]

set ip next-hop 200.200.60.49

0 Helpful

azago
Level 1
Level 1
In response to grant.maynard

‎08-23-2006 05:12 AM

Hi Grant, the config is attached

Preview file
12 KB
0 Helpful

grant.maynard
Level 4
Level 4
In response to azago

‎08-23-2006 08:21 AM

it's still not that easy to see what you're trying to do. I don't think it's anything to do with OSPF because you're not using that on either outside interface. This is just about policy and static routing. It think you want to use the two outsides as two ISP links, but that is not going to work.

For example look at these two NATs:

static (dmz201,outside2) 200.125.125.194 192.168.201.85 netmask 255.255.255.255 0 0

static (dmz201,outside) 200.125.125.177 192.168.201.85 netmask 255.255.255.255 0 0

This means a dmz server is translated to one address on outside1, and another on outside2.

But when a packet from the dmz server hits the PIX, the PIX must decide which interface to send it to, based on the destination in the packet. The NAT happens later, as it leaves the PIX. So your policy routing must be based on what subnets should be routed via which interface. And that's just static routing, no policy routing required, although maybe you could do it by tcp/udp port.

So, can you just add static routes out the two interfaces?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents