1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cisco 877 Policy Routing

Discussion in 'Networks' started by ThomasMc, Feb 23, 2009.

  1. ThomasMc

    ThomasMc Gigabyte Poster

    1,507
    49
    111
    Hey everyone,

    Having some trouble with my routing and was wondering if anyone could give me a gentle push in the right direction, We have 4 vlans on the network and I would like to punt all the traffic leaving our network through the firewall via policy routing(I think that how i need to do it lol)

    Vlan1 10.10.0.0/24
    Vlan2 10.10.50.0/24
    Vlan3 10.10.100.0/24
    Vlan4 10.10.200.0/24
    Router 10.10.0.1, 10.10.50.1, 10.10.100.1, 10.10.200.1
    Firewall 10.10.0.2, 10.10.50.2, 10.10.100.2, 10.10.200.1

    I would like the router to handle all the lan routing and only pass exiting traffic to the firewall, now because I'm not to great at the networking stuff I'm not to sure if I'm on the right track but here is what I've got so far

    Code:
    no ip cef
    
    access-list 10 permit 10.10.0.0 0.0.0.255
    access-list 11 permit 10.10.50.0 0.0.0.255
    access-list 12 permit 10.10.100.0 0.0.0.255
    access-list 13 permit 10.10.200.0 0.0.0.255
    
    route-map SetNextHop10 permit 10
    match ip address 10
    set ip next-hop 10.10.0.2
    
    
    route-map SetNextHop11 permit 11
    match ip address 11
    set ip next-hop 10.10.50.2
    
    
    route-map SetNextHop12 permit 12
    match ip address 12
    set ip next-hop 10.10.100.2
    
    
    route-map SetNextHop13 permit 13
    match ip address 13
    set ip next-hop 10.10.200.2
    
    
    interface Vlan1
    ip policy route-map SetNextHop10
    
    
    interface Vlan2
    ip policy route-map SetNextHop11
    
    
    interface Vlan3
    ip policy route-map SetNextHop12
    
    
    interface Vlan4
    ip policy route-map SetNextHop13
    
     
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)
  2. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Judging from the info you provided it appears both the router and the firewall have interfaces on each vlan. So, why bother with the router? The firewall can route between the vlans.

    If you want to leave tthe topology as is then there is no need for policy based routing. If the router ip addresses are used by hosts on the vlans as their default gateway, then all you need is a default route on the router pointing to the firewall, no PBR required.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  3. ThomasMc

    ThomasMc Gigabyte Poster

    1,507
    49
    111
    If truth be told I was having problems with inter-vlan routing when I was using the firewall for routing(trunked) but it seemed fine when I used different ports for each vlan on the firewall. Both of these commands where in my config

    same-security-traffic permit intra-interface
    same-security-traffic permit inter-interface


    I will restore my original config to the ASA and post it later here for you to look at, this was only a workaround till I could get round to sinking a book on the subject.
     
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)
  4. ThomasMc

    ThomasMc Gigabyte Poster

    1,507
    49
    111
    :oops: I must have missed something the first time around, I started again and looked over all my notes, all seems to be working now with the below sample config, taffic now flows between vlan100 to vlan 200 over the trunk.

    Code:
    Result of the command: "sh config"
    
    : Saved
    : Written by enable_15 at 21:17:58.509 UTC Mon Feb 23 2009
    !
    ASA Version 8.0(4) 
    !
    hostname ciscoasa
    enable password <removed> encrypted
    passwd <removed> encrypted
    names
    !
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.1.1 255.255.255.0 
    !
    interface Vlan2
     nameif outside
     security-level 0
     ip address dhcp setroute 
    !
    interface Vlan100
     description Vlan100
     nameif net100
     security-level 100
     ip address 10.10.100.1 255.255.255.0 
    !
    interface Vlan200
     nameif net200
     security-level 100
     ip address 10.10.200.1 255.255.255.0 
    !
    interface Ethernet0/0
     switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
     shutdown
    !
    interface Ethernet0/3
     shutdown
    !
    interface Ethernet0/4
     shutdown
    !
    interface Ethernet0/5
     switchport access vlan 100
    !
    interface Ethernet0/6
     switchport access vlan 200
    !
    interface Ethernet0/7
     switchport trunk allowed vlan 200
     switchport trunk native vlan 100
     switchport mode trunk
    !
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group protocol TCPUDP
     protocol-object udp
     protocol-object tcp
    access-list net100_ibound_acl remark Domain
    access-list net100_ibound_acl extended permit object-group TCPUDP 10.10.100.0 255.255.255.0 eq domain any 
    access-list net100_ibound_acl remark HTTP
    access-list net100_ibound_acl extended permit tcp 10.10.100.0 255.255.255.0 eq www any 
    access-list net100_ibound_acl remark HTTPS
    access-list net100_ibound_acl extended permit tcp 10.10.100.0 255.255.255.0 eq https any 
    access-list net100_ibound_acl remark FTP
    access-list net100_ibound_acl extended permit tcp 10.10.100.0 255.255.255.0 eq ftp any 
    access-list net100_ibound_acl remark POP3
    access-list net100_ibound_acl extended permit tcp 10.10.100.0 255.255.255.0 eq pop3 any 
    access-list net100_ibound_acl remark IMAP4
    access-list net100_ibound_acl extended permit tcp 10.10.100.0 255.255.255.0 eq imap4 any 
    access-list net100_ibound_acl remark SMTP
    access-list net100_ibound_acl extended permit tcp 10.10.100.0 255.255.255.0 eq smtp any 
    access-list net100_ibound_acl remark VNC
    access-list net100_ibound_acl extended permit tcp 10.10.100.0 255.255.255.0 eq 5900 any 
    access-list net100_ibound_acl extended permit ip 10.10.100.0 255.255.255.0 10.10.200.0 255.255.255.0 
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu net100 1500
    mtu net200 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-613.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (net100) 1 0.0.0.0 0.0.0.0
    nat (net200) 1 0.0.0.0 0.0.0.0
    static (net100,net200) 10.10.100.0 10.10.100.0 netmask 255.255.255.0 
    static (net200,net100) 10.10.200.0 10.10.200.0 netmask 255.255.255.0 
    access-group net100_ibound_acl in interface net100
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    dhcpd address 192.168.1.2-192.168.1.254 inside
    dhcpd enable inside
    !
    dhcpd address 10.10.100.50-10.10.100.200 net100
    dhcpd auto_config outside interface net100
    dhcpd enable net100
    !
    dhcpd address 10.10.200.50-10.10.200.200 net200
    dhcpd auto_config outside interface net200
    dhcpd enable net200
    !
    
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    !
    class-map inspection_default
     match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect rsh 
      inspect rtsp 
      inspect esmtp 
      inspect sqlnet 
      inspect skinny  
      inspect sunrpc 
      inspect xdmcp 
      inspect sip  
      inspect netbios 
      inspect tftp 
    !
    removed
    
     
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)

Share This Page

Loading...