PIX 515 Routing Problems

Posted on 2004-03-24
Medium Priority
Last Modified: 2013-11-16
I could really use some help, guys....

I have two T-1's (IP's of 68.152.249.x) that "terminate" into a Cisco 2620 (two serial & two lan ports).  Each 2620 LAN Port goes into a port on a PIX 515.  A third (ethernet) port on the PIX connects to a LAN with addresses of 10.10.10.x.

Right now, I have a default route in the PIX pointing all traffic to one of the T-1's.  However, with the second T-1 (serving a different department).  I want to put a route in the pix that says (to the effect) that if you come from address pool y, then you go to T-1 #1, and if you come from address pool z, then you go to T-1 #2.  

I know you can't specify one default route (one per interface would be really nice), so I wasn't sure if this is something that could be handled in the PIX, or if I had to do it in the 2620.

Any suggestions are welcome!
Question by:brianclay
  • 6
  • 5
LVL 79

Expert Comment

ID: 10676377
You have to do it on the 2620.
What you want to do is setup each department on a separate subnet if you can, or at least group the addresses so that they can be segregated with a mask.
The concept is this:
1. each department has at least the appearance of a different subnet
2. each subnet gets a unique outgoing NAT/PAT address going out the firewall
3. 2620 makes routing decision based on source address
4. If source address = NAT address of Dept A, send through T1 #1
5. If source address = NAT address of Dept B, send through T1 #2

To accomplish that, you do NOT need the 2nd Ethernet port of the router connecting to the extra interface of the PIX. That will not help you one bit.

Question for you: do both T1's go to the same ISP? It will make a difference if you have two different ISP's and two different IP address blocks.

Expert Comment

ID: 10677159
I'm not completely sure of your configuration....
But I think what you are trying to do is a simple
route outside statement...
here is the syntax...
route outside 68.152.249.x 1
this reads this way
route anything in the subnet to ip address 68.152.249.x 1 hop away...
what this will do is send
any data that is coming from the to the ethernet x interface ip address on the 2620...
at that point the 2620 will decide where to send the data....  
I'm not quite sure what your typology is...
sounds like you are using DMZ interfaces for the two different departments...???
This should still work though....
You may need to do some sort of
route dmz statement also....
Typology with IPs would be helpful here.....

Author Comment

ID: 10677717
lr moore

what are the comands to have the 2620 perform the conditional static routes?
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

LVL 79

Expert Comment

ID: 10677937

You would use policy routing with a route map, something like this.
Group A private IP = 192.168.2.x
Group A Public IP from PIX =
Group B private IP = 192.168.3.x
Group B Public IP from PIX =

# create access-lists to define the traffic source/destination
access-list 102 permit ip host any
access-list 103 permit ip host any
# create route-map to direct the traffic as it matches the acl
route-map TEST permit 10
 match address 102
 set default interface serial 0/0.1  <-- interface to ISP1
route-map TEST permit 20
 match address 103
 set default interface serial 1/0.1  <-- interface to ISP2
# apply the routemap to the LAN interface that connects to the PIX
interface fast 0/0
 ip policy route-map TEST


Author Comment

ID: 10680077
lr moore:

I have tried that and had to change some configurations in the PIX, and I am still having problems.  Here is my configuration:

T-1 #1 - WAN IP / LAN IP
T-1 #2 - WAN IP / LAN IP

PIX outside Interface / (I configured this so it could NAT across both sets of LAN IP's for the T-1's).

PIX inside Interface /

nat = -->
nat = -->
default route in pix = (eth 0/0 -T1 #1) of 2620.

I think the problem is the eth 0/0 is getting an address outside of its subnet (, and it can't pass it over to the second t-1 (it is just dropping the packet).  

When I turn on debugging in the pix, the addresses are natting properly, and it is trying to send traffic (from to it's DNS...with no luck).  The is working great (i.e. surfing, emailing, etc.)

Please help!
LVL 79

Expert Comment

ID: 10680156
How do you have both WAN IP's the same???
The PIX outside subnet mask should match your FastEthernet 0/0.
What I would expect:

Interface FastEthernet 0/0
 ip add
Interface FastEthernet 0/1

ip address outside
global (outside) 40
global (outside) 105 interface
nat (inside) 40
nat (inside) 105
route outside


Author Comment

ID: 10680187
Sorry...the second T-1 is

Author Comment

ID: 10680615
lr...still not luck.  I have made all configs in the 2620 & the 515 as suggested (the only difference being I named my route map OUTBOUND not TEST).  I still can't surf.  I am testing off a Laptop with IP / / gateway = (pix).  Any more suggestions?

Author Comment

ID: 10680778
lr moore...here is the problem...

my 2620 has the default route / / (gateway of first t-1).  How do I enter the gateway for the second t-1?
LVL 79

Expert Comment

ID: 10680882
try adding another same-cost default
ip route  


Author Comment

ID: 10680942
if i add another default route...then both t-1's crawl.  Is there any way to put something in the access list or route map that says once you go to serial 0/1, then you need to go to ip
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 10681012
Yes, you can use the route-map command:

Instead of this:

route-map OUTBOUND permit 20
 match address 103
 set default interface serial 1/0.1 <<--

Try this:
route-map OUTBOUND permit 20
 match address 103
 set ip next-hop <<--


Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question