In article , RS wrote: :PIX 6.3(3)
Sidenote: 6.3(3) had a security problem, fixed in 6.3(4).
6.3(5) is out now; it is a bug-fix release.
:We now have multiple outside interfaces - different ISP's. The plan is :to have one interface handle all web traffic (we will call that :outside1)- the other VPN's (outside2).
:To handle this - I figured I'd set the default route to use the ISP on :outside1. All VPN routes would be have their routes defined to use :outside2.
:Inbound connections to the SSL VPN concentrator, however, are coming :into outside2.
:Will there be an issue with that because the default route points to :outside1??
Yes.
:Or does the PIX know that since an inbound connection came :on outside2 - use outside2 no matter what the def. route says???
No, the PIX doesn't know that. The PIX always routes according to its routing table.
In PIX 6.3(3), the only policy routing that is supported has to do with OSPF.
What you might be able to do is "reverse NAT".
nat (outside2) 0.0.0.0 0.0.0.0 0 0 global (inside) SOMEIP route outside2 host SOMEIP WANROUTERIP
If you do this (and make sure to exempt the VPN traffic), then any outside source IP that comes in to outside2 will be PAT'd to SOMEIP. When the SSL concentrator replies to those packets, the 'route' ensures that the reply will go back out the outside2 interface. If SOMEIP is in the same subnet as the outside2 interface then you can skip the 'route' statement.
I do not know whether this NAT step will interfere with SSL... I don't -think- it will.