«

Our PIX is the def gtwy on our internal network, yet we have an Ironport
e-mail appliance that we want to also use on outbound e-mail.

With a regular Cisco router as a def gtwy I could issue the following route
map to redirect outbound smtp e-mail to another device-like the ironport.

route-map MAILTRAFFIC permit 10
match ip address OUTSMTP
set ip next-hop 192.168.1.208 the IRONPORT

interface E0 the inbound interface of
the internal side of the router
ip address 192.168.1.1 255.255.255.0
ip policy route-map MAILTRAFFIC

access-list ext OUTSMTP
permit tcp host 192.168.1.205 any eq smtp
deny any any eq smtp
permit ip any any

I have reviewed the PIX manuals and did not see any reference to any
route-map commands, yet the GURUs among this group may know how to do this
and/or tell me that it is not feasible.

Any help would be appreciated.

Hello, Houston!

PIX is not router.

--

"Houston SBC" <> wrote:

> Our PIX is the def gtwy on our internal network, yet we have an Ironport
> e-mail appliance that we want to also use on outbound e-mail.
>
> With a regular Cisco router as a def gtwy I could issue the following route
> map to redirect outbound smtp e-mail to another device-like the ironport.
>
> route-map MAILTRAFFIC permit 10
> match ip address OUTSMTP
> set ip next-hop 192.168.1.208 the IRONPORT
>
> interface E0 the inbound interface of the internal side of the router
> ip address 192.168.1.1 255.255.255.0
> ip policy route-map MAILTRAFFIC
>
> access-list ext OUTSMTP
> permit tcp host 192.168.1.205 any eq smtp
> deny any any eq smtp
> permit ip any any
>
> I have reviewed the PIX manuals and did not see any reference to any
> route-map commands, yet the GURUs among this group may know how to do this
> and/or tell me that it is not feasible.
>
> Any help would be appreciated.

It might help if you could tell the OS version you are running.
Version 6 has only fixed routes and OSPF - no route-maps.

However there are OS versions 7 and 8, but you can run them only
in the high end PIX boxes (515->).

* Houston SBC wrote:
> With a regular Cisco router as a def gtwy I could issue the following route
> map to redirect outbound smtp e-mail to another device-like the ironport.
>
> route-map MAILTRAFFIC permit 10
> match ip address OUTSMTP
> set ip next-hop 192.168.1.208 the IRONPORT

PIX is not a router, but a NAT device. So you can't use route-maps for other
issues than OSFP and RIP. But you can set up a nat entry:

nat (outside,inside) OUTSMTP 192.168.1.208 ! yes, from inside to outside

You can even restrict this rule with an access-list to match only SMTP
traffic.

Have fun.

In article <>,
Lutz Donnerhacke <> wrote:

>PIX is not a router, but a NAT device. So you can't use route-maps for other
>issues than OSFP and RIP.

OSPF and RIP and other routing protocols do not define a router.
A router is any device that connects multiple layer 2 networks
at layer 3, and every PIX model since the beginning has been
able to do that. Therefore a PIX *is* a router. It just isn't very
flexible in how it makes its routing decisions, and it violates
the RFCs by not decrementing the TTL... but adherence to RFCs does
not define whether it is a router or not.

Houston SBC,

I believe that the answer you seek is, "The PIX cannot do route-maps."

This has nothing to do with the version of the PIX image.
Although the PIX does perform routing, it just is not as sophisticated as
the actual routers in some regards.

Does the Ironport device act as an incoming and outgoing SMTP server or does
it intercept outgoing SMTP traffic? I thought that inside hosts were
configured to use the Ironport device as a SMTP server for outgoing messages
and that DNS was configured to have inbound e-mail go to the Ironport
device. In that situation, the Ironport device would forward the received
inbound e-mail to the actual internal e-mail server after Ironport device
processing. So, if this is the case, the inside hosts or servers need to be
configured to use the Ironport device for outbound message delivery and the
policy based routing or route map is not needed.

-----
Scott Perry
Indianapolis, IN
-----

"Walter Roberson" <> wrote in message
news:8RBsk.37012$hx.5365@pd7urf3no...
> In article <>,
> Lutz Donnerhacke <> wrote:
>
>>PIX is not a router, but a NAT device. So you can't use route-maps for
>>other
>>issues than OSFP and RIP.
>
> OSPF and RIP and other routing protocols do not define a router.
> A router is any device that connects multiple layer 2 networks
> at layer 3, and every PIX model since the beginning has been
> able to do that. Therefore a PIX *is* a router. It just isn't very
> flexible in how it makes its routing decisions, and it violates
> the RFCs by not decrementing the TTL... but adherence to RFCs does
> not define whether it is a router or not.

A very cognizant answer..Thanks

Problem is that the Ironport was setup to accept inbound email for the
associated domain and then relay spam free mail to the actual internal
e-mail server.
What the install person did not do was to make sure that outbound e-mail
used the same reverse path.
Outbound email goes to the sites def gtwy, which in this case is the PIX
550. Thus the route map question?

Since Exchange 2007 is in use, either a def gtwy or a smart email host is
allowed on the outbound trip.
Using the internal address of the Ironport did not allow email egression.
Customer is contacting Ironport
about the required steps needed to allow both inbound and outbound email to
pass through their device.
It would be nice to clean the outbound email.

This is the kind of shoddy workmanship that keeps me busy...Sell, sell, sell
and do a Mickey mouse install....





"Scott Perry" <scott.perry@somecompany> wrote in message
news:48b2ff4b$0$3717$.. .
> Houston SBC,
>
> I believe that the answer you seek is, "The PIX cannot do route-maps."
>
> This has nothing to do with the version of the PIX image.
> Although the PIX does perform routing, it just is not as sophisticated as
> the actual routers in some regards.
>
> Does the Ironport device act as an incoming and outgoing SMTP server or
> does it intercept outgoing SMTP traffic? I thought that inside hosts were
> configured to use the Ironport device as a SMTP server for outgoing
> messages and that DNS was configured to have inbound e-mail go to the
> Ironport device. In that situation, the Ironport device would forward the
> received inbound e-mail to the actual internal e-mail server after
> Ironport device processing. So, if this is the case, the inside hosts or
> servers need to be configured to use the Ironport device for outbound
> message delivery and the policy based routing or route map is not needed.
>
> -----
> Scott Perry
> Indianapolis, IN
> -----
>
> "Walter Roberson" <> wrote in message
> news:8RBsk.37012$hx.5365@pd7urf3no...
>> In article <>,
>> Lutz Donnerhacke <> wrote:
>>
>>>PIX is not a router, but a NAT device. So you can't use route-maps for
>>>other
>>>issues than OSFP and RIP.
>>
>> OSPF and RIP and other routing protocols do not define a router.
>> A router is any device that connects multiple layer 2 networks
>> at layer 3, and every PIX model since the beginning has been
>> able to do that. Therefore a PIX *is* a router. It just isn't very
>> flexible in how it makes its routing decisions, and it violates
>> the RFCs by not decrementing the TTL... but adherence to RFCs does
>> not define whether it is a router or not.
>
>