1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cisco 877 Policy Routing

Discussion in 'Networks' started by ThomasMc, Feb 23, 2009.

  1. ThomasMc

    ThomasMc Gigabyte Poster

    Hey everyone,

    Having some trouble with my routing and was wondering if anyone could give me a gentle push in the right direction, We have 4 vlans on the network and I would like to punt all the traffic leaving our network through the firewall via policy routing(I think that how i need to do it lol)


    I would like the router to handle all the lan routing and only pass exiting traffic to the firewall, now because I'm not to great at the networking stuff I'm not to sure if I'm on the right track but here is what I've got so far

    no ip cef
    access-list 10 permit
    access-list 11 permit
    access-list 12 permit
    access-list 13 permit
    route-map SetNextHop10 permit 10
    match ip address 10
    set ip next-hop
    route-map SetNextHop11 permit 11
    match ip address 11
    set ip next-hop
    route-map SetNextHop12 permit 12
    match ip address 12
    set ip next-hop
    route-map SetNextHop13 permit 13
    match ip address 13
    set ip next-hop
    interface Vlan1
    ip policy route-map SetNextHop10
    interface Vlan2
    ip policy route-map SetNextHop11
    interface Vlan3
    ip policy route-map SetNextHop12
    interface Vlan4
    ip policy route-map SetNextHop13
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)
  2. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    Judging from the info you provided it appears both the router and the firewall have interfaces on each vlan. So, why bother with the router? The firewall can route between the vlans.

    If you want to leave tthe topology as is then there is no need for policy based routing. If the router ip addresses are used by hosts on the vlans as their default gateway, then all you need is a default route on the router pointing to the firewall, no PBR required.

    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
  3. ThomasMc

    ThomasMc Gigabyte Poster

    If truth be told I was having problems with inter-vlan routing when I was using the firewall for routing(trunked) but it seemed fine when I used different ports for each vlan on the firewall. Both of these commands where in my config

    same-security-traffic permit intra-interface
    same-security-traffic permit inter-interface

    I will restore my original config to the ASA and post it later here for you to look at, this was only a workaround till I could get round to sinking a book on the subject.
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)
  4. ThomasMc

    ThomasMc Gigabyte Poster

    :oops: I must have missed something the first time around, I started again and looked over all my notes, all seems to be working now with the below sample config, taffic now flows between vlan100 to vlan 200 over the trunk.

    Result of the command: "sh config"
    : Saved
    : Written by enable_15 at 21:17:58.509 UTC Mon Feb 23 2009
    ASA Version 8.0(4) 
    hostname ciscoasa
    enable password <removed> encrypted
    passwd <removed> encrypted
    interface Vlan1
     nameif inside
     security-level 100
     ip address 
    interface Vlan2
     nameif outside
     security-level 0
     ip address dhcp setroute 
    interface Vlan100
     description Vlan100
     nameif net100
     security-level 100
     ip address 
    interface Vlan200
     nameif net200
     security-level 100
     ip address 
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
     switchport access vlan 100
    interface Ethernet0/6
     switchport access vlan 200
    interface Ethernet0/7
     switchport trunk allowed vlan 200
     switchport trunk native vlan 100
     switchport mode trunk
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group protocol TCPUDP
     protocol-object udp
     protocol-object tcp
    access-list net100_ibound_acl remark Domain
    access-list net100_ibound_acl extended permit object-group TCPUDP eq domain any 
    access-list net100_ibound_acl remark HTTP
    access-list net100_ibound_acl extended permit tcp eq www any 
    access-list net100_ibound_acl remark HTTPS
    access-list net100_ibound_acl extended permit tcp eq https any 
    access-list net100_ibound_acl remark FTP
    access-list net100_ibound_acl extended permit tcp eq ftp any 
    access-list net100_ibound_acl remark POP3
    access-list net100_ibound_acl extended permit tcp eq pop3 any 
    access-list net100_ibound_acl remark IMAP4
    access-list net100_ibound_acl extended permit tcp eq imap4 any 
    access-list net100_ibound_acl remark SMTP
    access-list net100_ibound_acl extended permit tcp eq smtp any 
    access-list net100_ibound_acl remark VNC
    access-list net100_ibound_acl extended permit tcp eq 5900 any 
    access-list net100_ibound_acl extended permit ip 
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu net100 1500
    mtu net200 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-613.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1
    nat (net100) 1
    nat (net200) 1
    static (net100,net200) netmask 
    static (net200,net100) netmask 
    access-group net100_ibound_acl in interface net100
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address inside
    dhcpd enable inside
    dhcpd address net100
    dhcpd auto_config outside interface net100
    dhcpd enable net100
    dhcpd address net200
    dhcpd auto_config outside interface net200
    dhcpd enable net200
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect rsh 
      inspect rtsp 
      inspect esmtp 
      inspect sqlnet 
      inspect skinny  
      inspect sunrpc 
      inspect xdmcp 
      inspect sip  
      inspect netbios 
      inspect tftp 
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)

Share This Page