Does the PIX have route map functionality?
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||||||||
|
Posted by Houston SBC on August 24, 2008, 10:56 pm
Please log in for more thread options Our PIX is the def gtwy on our internal network, yet we have an Ironport e-mail appliance that we want to also use on outbound e-mail. With a regular Cisco router as a def gtwy I could issue the following route map to redirect outbound smtp e-mail to another device-like the ironport. route-map MAILTRAFFIC permit 10 match ip address OUTSMTP set ip next-hop 192.168.1.208 the IRONPORT interface E0 the inbound interface of the internal side of the router ip address 192.168.1.1 255.255.255.0 ip policy route-map MAILTRAFFIC access-list ext OUTSMTP permit tcp host 192.168.1.205 any eq smtp deny any any eq smtp permit ip any any I have reviewed the PIX manuals and did not see any reference to any route-map commands, yet the GURUs among this group may know how to do this and/or tell me that it is not feasible. Any help would be appreciated. | ||||||||||||||||||||||
|
Posted by Andrew Lutov on August 25, 2008, 5:33 am
Please log in for more thread options Hello, Houston! PIX is not router. -- | ||||||||||||||||||||||
|
Posted by Jyri Korhonen on August 25, 2008, 5:33 am
Please log in for more thread options
> ip address 192.168.1.1 255.255.255.0
> ip policy route-map MAILTRAFFIC > > access-list ext OUTSMTP > permit tcp host 192.168.1.205 any eq smtp > deny any any eq smtp > permit ip any any > > I have reviewed the PIX manuals and did not see any reference to any > route-map commands, yet the GURUs among this group may know how to do this > and/or tell me that it is not feasible. > > Any help would be appreciated. It might help if you could tell the OS version you are running. Version 6 has only fixed routes and OSPF - no route-maps. However there are OS versions 7 and 8, but you can run them only in the high end PIX boxes (515->).
| ||||||||||||||||||||||
|
Posted by Lutz Donnerhacke on August 25, 2008, 7:14 am
Please log in for more thread options
* Houston SBC wrote: > With a regular Cisco router as a def gtwy I could issue the following route
> map to redirect outbound smtp e-mail to another device-like the ironport. > > route-map MAILTRAFFIC permit 10 > match ip address OUTSMTP > set ip next-hop 192.168.1.208 the IRONPORT PIX is not a router, but a NAT device. So you can't use route-maps for other issues than OSFP and RIP. But you can set up a nat entry: nat (outside,inside) OUTSMTP 192.168.1.208 ! yes, from inside to outside You can even restrict this rule with an access-list to match only SMTP traffic. Have fun. | ||||||||||||||||||||||
|
Posted by Walter Roberson on August 25, 2008, 1:20 pm
Please log in for more thread options
>PIX is not a router, but a NAT device. So you can't use route-maps for other
>issues than OSFP and RIP. OSPF and RIP and other routing protocols do not define a router. A router is any device that connects multiple layer 2 networks at layer 3, and every PIX model since the beginning has been able to do that. Therefore a PIX *is* a router. It just isn't very flexible in how it makes its routing decisions, and it violates the RFCs by not decrementing the TTL... but adherence to RFCs does not define whether it is a router or not. | ||||||||||||||||||||||
> e-mail appliance that we want to also use on outbound e-mail.
>
> With a regular Cisco router as a def gtwy I could issue the following route
> map to redirect outbound smtp e-mail to another device-like the ironport.
>
> route-map MAILTRAFFIC permit 10
> match ip address OUTSMTP
> set ip next-hop 192.168.1.208 the IRONPORT
>
> interface E0 the inbound interface of