So there is not any support for Source Address translation? I know in the FW-1 world you can do a 'NAT Hide' behind the inside interface. Which is a wonderfull solution to solve lan routing issues.

I would want it to look like this.

Internet IP -> Dest NAT -> Source Translation of Inside interface IP

Now you have an easy routing solution since all the traffic appears to be coming from the Firewall.

6.2 and greater PIX code supports bi-directional NAT so you can achieve the above if you want to. However, I don't understand your reasoning for wanting this very well. How does having all traffic look like it's coming from the firewall assist in routing?

Scott

I see I am responding to this post a while since the last message.

I do have a need for source-routing on the PIX, or a very intelligent work around.

Here's the situation:

I have a VPN Concentrator that accepts connections from different logical groups. One belongs to our business unit, and the othe is all the other business units of our parent company, connected via a WAN. I differentiate between these two groups by the IP address pools the VPN Concentrator issues to a user based on their profile.

The "private" interface of the Concentrator feeds back into the firewall. This way we can route the users to their appropriate destinations. Everything thus far worked well.

Here's the fun part. One group gets to go out to the Internet directly through the PIX, which works well. There is a default route pointed out to our border routers, which forward to the ISP. The other group needs to be sent to the WAN (hanging off another PIX interface) for their Internet access.

When the traffic is fed back into the firewall, the PIX wants to route them out its outside interface, regardless of which logical group they belong to.

If I could source-route, then based on an ACL, I could route these blocks of addresses where I want to for their default route.

Does this make sense? Is there a work-around? Am I crazy and should figure out a better way to set this up?

Unfortunately, there is no solution to this problem using the equipment that you have. The PIX is a security device and therefore, does not have a lot of the L3 routing features that an IOS device has. One of which is source routing which the PIX does not do currently do and as far as I know, there are no plans to add support for source routing on the PIX in the future either. You will need to add an IOS device into this design in order to accomplish your goals. I would suggest adding it something like this:

inside----PIX----new L3 device----internet router

|

|

WAN router

(hope that comes out OK)

The new L3 device would make the source routing decisions based on the source address of the packets it receives from the PIX (you will probably want to use a nat 0 ACL in order to preserve the source address assigned by your concentrator).

Hope this helps and sorry for the bad news.

Scott

What you described is what I already had called "Plan B" if source-routing on the PIX was not a possibility, which I suspected would be the case. I understand the PIX's routing limitations, and often have to work around them. Thanks for your feedback.