Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

PIX With OSPF and Policy Routing


I have the following topology, a Pix 515E with two ISP connection (2 outside interfaces) and this PIX will run OSPF and generate a defaul route.

When I configured the OSPF all connections coming from the Outside2 couldn't reach the DMZ, but all Outside1 and Inside traffic worked fine.

The configuration is something like this

route-map outside2 permit 10

set ip next-hop

match interface outside2

routing interface inside

ospf priority 0

ospf message-digest-key 1 md5 Bvotorantim

ospf authentication message-digest

router ospf 1

network area 10 (Inside Interface)

network area 10 (DMZ)


default-information originate always metric-type 1

route outside 1

route outside2 2

route outside2 1

route outside2 1

route outside2 1

route outside2 1

route outside2 1

route outside2 1

route outside2 1


Re: PIX With OSPF and Policy Routing

I don't think there's enough of the config there for us to see why it doesn't work.

You don't seem to have any OSPF on outside1 or outside2.

what is your NAT like?

your route-map looks very suspect if that's all there is. I'd expect it to be like this:

route-map outside2 permit 10

match addres [acl_name]

set ip next-hop

New Member

Re: PIX With OSPF and Policy Routing

Hi Grant, the config is attached

Re: PIX With OSPF and Policy Routing

it's still not that easy to see what you're trying to do. I don't think it's anything to do with OSPF because you're not using that on either outside interface. This is just about policy and static routing. It think you want to use the two outsides as two ISP links, but that is not going to work.

For example look at these two NATs:

static (dmz201,outside2) netmask 0 0

static (dmz201,outside) netmask 0 0

This means a dmz server is translated to one address on outside1, and another on outside2.

But when a packet from the dmz server hits the PIX, the PIX must decide which interface to send it to, based on the destination in the packet. The NAT happens later, as it leaves the PIX. So your policy routing must be based on what subnets should be routed via which interface. And that's just static routing, no policy routing required, although maybe you could do it by tcp/udp port.

So, can you just add static routes out the two interfaces?

CreatePlease to create content