Route on PIX 7.0 based on source address

spickett · ‎10-04-2005

i have 2 hosts inside my network that each need to communicate with a remote network. there are two ways to get to the remote network and each host needs to take a unique path.

Ie, inside the DMZ there is RouterA which leads to 192.168.168.1 and RouterB leads to 192.168.168.1. Inside my PIX there is Host1 and Host2. Host1 needs to go through RouterA and Host2 needs to go through RouterB.

Like this:

host1---\ /---routerA

inside---PIX---DMZ

host2---/ \---routerB

I need to be able to tell the PIX

192.168.168.1/32 => RouterA

ACL 1 host2 IP

Route-Map

match acl 1

set next-hop = RouterB

or someother way to tell the PIX, if source-ip = Host2 the route to 192.168.168.1 = RouterB

Anyone have any ideas?

bobd · ‎10-07-2005

Didn't see a reply to this for a few days, so thought I would take a stab at it. The PIX does not support source-based routing, but your next hop router probably does. I assume that RouterA and RouterB are on the same LAN segment. If RouterA is your default next hop on the DMZ, policy-based routing could be configured on RouterA to direct all traffic from Host2 destined for 192.168.168.1 to RouterB. I havn't tried this, so would recommend a lab build first. Cisco doc for configuring Policy based routing can be found at:

http://www.cisco.com/en/US/customer/products/ps6350/products_configuration_guide_chapter09186a00800c75d2.html

spickett · ‎10-08-2005

thanks for the suggestion and i think it would probably work. however, part of the problem with my whole scenario is that RouterA and RouterB are not under my control (i have no access to them), hence their location in the DMZ.

i actually did speak with company in question about this week and they have agreed to nat to dmz ips on their respective routers. my host1 and host2 will believe that they are speaking with something in the DMZ when it really is "192.168.1.1" on the other side.