Cisco 877 Policy Routing

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hey everyone,

Having some trouble with my routing and was wondering if anyone could give me a gentle push in the right direction, We have 4 vlans on the network and I would like to punt all the traffic leaving our network through the firewall via policy routing(I think that how i need to do it lol)

Vlan1 10.10.0.0/24
Vlan2 10.10.50.0/24
Vlan3 10.10.100.0/24
Vlan4 10.10.200.0/24
Router 10.10.0.1, 10.10.50.1, 10.10.100.1, 10.10.200.1
Firewall 10.10.0.2, 10.10.50.2, 10.10.100.2, 10.10.200.1

I would like the router to handle all the lan routing and only pass exiting traffic to the firewall, now because I'm not to great at the networking stuff I'm not to sure if I'm on the right track but here is what I've got so far

Code:

no ip cef

access-list 10 permit 10.10.0.0 0.0.0.255
access-list 11 permit 10.10.50.0 0.0.0.255
access-list 12 permit 10.10.100.0 0.0.0.255
access-list 13 permit 10.10.200.0 0.0.0.255

route-map SetNextHop10 permit 10
match ip address 10
set ip next-hop 10.10.0.2


route-map SetNextHop11 permit 11
match ip address 11
set ip next-hop 10.10.50.2


route-map SetNextHop12 permit 12
match ip address 12
set ip next-hop 10.10.100.2


route-map SetNextHop13 permit 13
match ip address 13
set ip next-hop 10.10.200.2


interface Vlan1
ip policy route-map SetNextHop10


interface Vlan2
ip policy route-map SetNextHop11


interface Vlan3
ip policy route-map SetNextHop12


interface Vlan4
ip policy route-map SetNextHop13

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Judging from the info you provided it appears both the router and the firewall have interfaces on each vlan. So, why bother with the router? The firewall can route between the vlans.

If you want to leave tthe topology as is then there is no need for policy based routing. If the router ip addresses are used by hosts on the vlans as their default gateway, then all you need is a default route on the router pointing to the firewall, no PBR required.

Spice_Weasel

 

If truth be told I was having problems with inter-vlan routing when I was using the firewall for routing(trunked) but it seemed fine when I used different ports for each vlan on the firewall. Both of these commands where in my config

same-security-traffic permit intra-interface
same-security-traffic permit inter-interface


I will restore my original config to the ASA and post it later here for you to look at, this was only a workaround till I could get round to sinking a book on the subject.

 

I must have missed something the first time around, I started again and looked over all my notes, all seems to be working now with the below sample config, taffic now flows between vlan100 to vlan 200 over the trunk.

Code:

Result of the command: "sh config"

: Saved
: Written by enable_15 at 21:17:58.509 UTC Mon Feb 23 2009
!
ASA Version 8.0(4) 
!
hostname ciscoasa
enable password <removed> encrypted
passwd <removed> encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Vlan100
 description Vlan100
 nameif net100
 security-level 100
 ip address 10.10.100.1 255.255.255.0 
!
interface Vlan200
 nameif net200
 security-level 100
 ip address 10.10.200.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 switchport access vlan 100
!
interface Ethernet0/6
 switchport access vlan 200
!
interface Ethernet0/7
 switchport trunk allowed vlan 200
 switchport trunk native vlan 100
 switchport mode trunk
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list net100_ibound_acl remark Domain
access-list net100_ibound_acl extended permit object-group TCPUDP 10.10.100.0 255.255.255.0 eq domain any 
access-list net100_ibound_acl remark HTTP
access-list net100_ibound_acl extended permit tcp 10.10.100.0 255.255.255.0 eq www any 
access-list net100_ibound_acl remark HTTPS
access-list net100_ibound_acl extended permit tcp 10.10.100.0 255.255.255.0 eq https any 
access-list net100_ibound_acl remark FTP
access-list net100_ibound_acl extended permit tcp 10.10.100.0 255.255.255.0 eq ftp any 
access-list net100_ibound_acl remark POP3
access-list net100_ibound_acl extended permit tcp 10.10.100.0 255.255.255.0 eq pop3 any 
access-list net100_ibound_acl remark IMAP4
access-list net100_ibound_acl extended permit tcp 10.10.100.0 255.255.255.0 eq imap4 any 
access-list net100_ibound_acl remark SMTP
access-list net100_ibound_acl extended permit tcp 10.10.100.0 255.255.255.0 eq smtp any 
access-list net100_ibound_acl remark VNC
access-list net100_ibound_acl extended permit tcp 10.10.100.0 255.255.255.0 eq 5900 any 
access-list net100_ibound_acl extended permit ip 10.10.100.0 255.255.255.0 10.10.200.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu net100 1500
mtu net200 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (net100) 1 0.0.0.0 0.0.0.0
nat (net200) 1 0.0.0.0 0.0.0.0
static (net100,net200) 10.10.100.0 10.10.100.0 netmask 255.255.255.0 
static (net200,net100) 10.10.200.0 10.10.200.0 netmask 255.255.255.0 
access-group net100_ibound_acl in interface net100
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
!
dhcpd address 10.10.100.50-10.10.100.200 net100
dhcpd auto_config outside interface net100
dhcpd enable net100
!
dhcpd address 10.10.200.50-10.10.200.200 net200
dhcpd auto_config outside interface net200
dhcpd enable net200
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
removed