Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
206
Views
5
Helpful
1
Replies

routing problem

jamie.mai
Level 1
Level 1

‎08-06-2007 07:27 AM - edited ‎03-03-2019 06:11 PM

Hello, I have two routers that each have 2 connections: Internet and a point to point connecting to each other. I am trying to route from our 10.0.1.0 lan to a new private network: 192.168.10.0. This new network branches off the firewall on 10.0.0.0 and is not directly attached to either router. The policy below was already in place...

access-list 198 permit ip 10.0.1.0 0.0.0.255 any

access-list 199 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

route-map ToSonicwall permit 10

match ip address 199

set ip default next-hop 10.1.1.1

!

route-map ToSonicwall permit 20

match ip address 198

set ip next-hop 10.0.1.254

set ip default next-hop 10.0.1.254

I tried adding a simple route statement as follows:

ip route 192.168.10.0 255.255.255.0 10.0.0.0

For some reason unknown to me this caused traffic to go through the firewall at 10.0.1.254 which I don't want. The problem is the traffic shows up at the destination firewall as coming from the outside interface of the other firewall and gets dumped as an ip spoof.

Tracing route to ftp01 [192.168.10.6]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 10.0.1.253

2 1 ms 28 ms 32 ms 10.1.1.1

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

I tried to add a new policy:

access-list 197 permit ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 198 permit ip 10.0.1.0 0.0.0.255 any

access-list 199 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

route-map ToSonicwall permit 5

match ip address 197

set ip default next-hop 10.1.1.1

!

route-map ToSonicwall permit 10

match ip address 199

set ip default next-hop 10.1.1.1

!

route-map ToSonicwall permit 20

match ip address 198

set ip next-hop 10.0.1.254

set ip default next-hop 10.0.1.254

This did not help - it just sends 192 traffic to the Internet.

Any help would be appreciated, Thanks!

Labels:
0 Helpful
1 Reply 1

Edison Ortiz
Hall of Fame
Hall of Fame

‎08-06-2007 12:37 PM

The route-map (PBR) will take precedence over any dynamic or static routing implemented.

You have ACL 198 in the first example that states any traffic from 10.0.1.0/24 to any destination use gateway 10.0.1.254

If you don't want 10.0.1.0/24 to go via this gateway when trying to reach 192.168.10.0/24 network, you must create a deny in ACL 198

access-list 198 deny ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 198 permit ip 10.0.1.0 0.0.0.255 any

HTH,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card