Does the PIX have route map functionality?

Our PIX is the def gtwy on our internal network, yet we have an Ironport e-mail appliance that we want to also use on outbound e-mail.

With a regular Cisco router as a def gtwy I could issue the following route map to redirect outbound smtp e-mail to another device-like the ironport.

route-map MAILTRAFFIC permit 10 match ip address OUTSMTP set ip next-hop 192.168.1.208 the IRONPORT

interface E0 the inbound interface of the internal side of the router ip address 192.168.1.1 255.255.255.0 ip policy route-map MAILTRAFFIC

access-list ext OUTSMTP permit tcp host 192.168.1.205 any eq smtp deny any any eq smtp permit ip any any

I have reviewed the PIX manuals and did not see any reference to any route-map commands, yet the GURUs among this group may know how to do this and/or tell me that it is not feasible.

Any help would be appreciated.

Reply to
Houston SBC
Loading thread data ...

Hello, Houston!

PIX is not router.

Reply to
Andrew Lutov

the internal side of the router

It might help if you could tell the OS version you are running. Version 6 has only fixed routes and OSPF - no route-maps.

However there are OS versions 7 and 8, but you can run them only in the high end PIX boxes (515->).

Reply to
Jyri Korhonen

PIX is not a router, but a NAT device. So you can't use route-maps for other issues than OSFP and RIP. But you can set up a nat entry:

nat (outside,inside) OUTSMTP 192.168.1.208 ! yes, from inside to outside

You can even restrict this rule with an access-list to match only SMTP traffic.

Have fun.

Reply to
Lutz Donnerhacke

OSPF and RIP and other routing protocols do not define a router. A router is any device that connects multiple layer 2 networks at layer 3, and every PIX model since the beginning has been able to do that. Therefore a PIX *is* a router. It just isn't very flexible in how it makes its routing decisions, and it violates the RFCs by not decrementing the TTL... but adherence to RFCs does not define whether it is a router or not.

Reply to
Walter Roberson

Houston SBC,

I believe that the answer you seek is, "The PIX cannot do route-maps."

This has nothing to do with the version of the PIX image. Although the PIX does perform routing, it just is not as sophisticated as the actual routers in some regards.

Does the Ironport device act as an incoming and outgoing SMTP server or does it intercept outgoing SMTP traffic? I thought that inside hosts were configured to use the Ironport device as a SMTP server for outgoing messages and that DNS was configured to have inbound e-mail go to the Ironport device. In that situation, the Ironport device would forward the received inbound e-mail to the actual internal e-mail server after Ironport device processing. So, if this is the case, the inside hosts or servers need to be configured to use the Ironport device for outbound message delivery and the policy based routing or route map is not needed.

----- Scott Perry Indianapolis, IN

-----

Reply to
Scott Perry

A very cognizant answer..Thanks

Problem is that the Ironport was setup to accept inbound email for the associated domain and then relay spam free mail to the actual internal e-mail server. What the install person did not do was to make sure that outbound e-mail used the same reverse path. Outbound email goes to the sites def gtwy, which in this case is the PIX

550. Thus the route map question?

Since Exchange 2007 is in use, either a def gtwy or a smart email host is allowed on the outbound trip. Using the internal address of the Ironport did not allow email egression. Customer is contacting Ironport about the required steps needed to allow both inbound and outbound email to pass through their device. It would be nice to clean the outbound email.

This is the kind of shoddy workmanship that keeps me busy...Sell, sell, sell and do a Mickey mouse install....

Reply to
Houston SBC

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.