Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Policy-based routing and Firewalls


can anybody tell me how i can get PBR to work when i have a PIX Firewall along the data path to my defined next-hop router.

I have 2 Firewalls with external facing interfaces on the Internet. I want to route packets from a host located on the dmz of PIX-1 to hosts on the internet via PIX-2.

However the moment the packets from the host hit the dmz interface on PIX-1, they get re-routed to the Internet via its outside interface, which is not the path i want it to use.

Before hitting the dmz interface of PIX-1 it hits a L3 switch that has the PBR configs that define PIX-2 as its next hop.

I know PBR cant be configured with PIX firewalls, but how can i get it to work when i have a PIX in its data path.

I also have OSPF running internally on the network, and the default route to the internet is via PIX-1.

See attached diagram for logical layout and data flow

  • WAN Routing and Switching
Hall of Fame Super Blue

Re: Policy-based routing and Firewalls

Hi Mark

As you rightly point out the pix cannot do PBR. So it makes no difference what you put on the L3 switch as the traffic will always end up at Pix-1 because that is it's default gateway.

The most obvious solution is just to change the default-gateway on your host to be pix 2 - would this cause other problems ?


New Member

Re: Policy-based routing and Firewalls

It would sort alot more problems than it would solve Jon.

Am thinking of having the box changed to an internal IP, instead of an IP on the "DMZ". That way its default gateway would be different, and i could force it to by-pass PIX-1 and have PBR route its packets via PIX-2.

PIX-2 would also enforce its access policies for the hosts traffic public-outbound etc.

Thanks Jon