In article , wrote: :We are trying to setup the PIX to route traffic of a specific IP to a :specific device and all other traffic to the ISP DSL modem. Below is :our current network setup.
:(Internet) :ISP DSL modem : | : | :The PIX Device : | | : | | :lots of (The specific device) :wkst
:The workstations all have one NIC but with two IPs. We want to setup :the PIX so that it can route traffic of the first IP to the Internet :and traffic of the second IP to the specific device. We are required :to have the specific device behind the PIX firewall. What's the best :way to do this?
When you say "behind the PIX firewall", if you mean that "the specific device" -must- be on the same interface as "lots of wkst", then what you are asking is not possible with PIX 5.x or 6.x.
I haven't investigated myself, but something someone wrote here suggests that it isn't possible in PIX 7.0 either except in the case where the traffic is coming in via a VPN. PIX 7.0 allows routing back in at least -some- cases.
Starting in PIX 6.3(1) (for the 515/515E, 520, 525, or 535) or 6.3(4) (for the 506E), you can do a bit more if it is acceptable for "the specific device" to be in a different 802.1Q VLAN and different IP subnet than "lots of wkst", even if the same physical interface must be shared. If you can put an 802.1Q-aware LAN switch between the PIX and "the specific device" that will strip off the VLAN tags, or if "the specific device" can handle VLANs directly, then you can set "the specific device" virtually behind a "logical interface". PIX 6.3 *does* allow packets to arrive via one logical interface and exit by a different one, even on the same physical interface.
If you can indeed use different logical or physical interfaces for "the specific device", then the task you face becomes one of implimenting source-routing on the PIX. The only supported source-routing on PIX 6.x is through OSPF, which allows one to construct "policy routing". PIX 7.0 might have significant enhancements supporting source-routing, possibly.