08-06-2007 07:27 AM - edited 03-03-2019 06:11 PM
Hello, I have two routers that each have 2 connections: Internet and a point to point connecting to each other. I am trying to route from our 10.0.1.0 lan to a new private network: 192.168.10.0. This new network branches off the firewall on 10.0.0.0 and is not directly attached to either router. The policy below was already in place...
access-list 198 permit ip 10.0.1.0 0.0.0.255 any
access-list 199 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
route-map ToSonicwall permit 10
match ip address 199
set ip default next-hop 10.1.1.1
!
route-map ToSonicwall permit 20
match ip address 198
set ip next-hop 10.0.1.254
set ip default next-hop 10.0.1.254
I tried adding a simple route statement as follows:
ip route 192.168.10.0 255.255.255.0 10.0.0.0
For some reason unknown to me this caused traffic to go through the firewall at 10.0.1.254 which I don't want. The problem is the traffic shows up at the destination firewall as coming from the outside interface of the other firewall and gets dumped as an ip spoof.
Tracing route to ftp01 [192.168.10.6]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.0.1.253
2 1 ms 28 ms 32 ms 10.1.1.1
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
I tried to add a new policy:
access-list 197 permit ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 198 permit ip 10.0.1.0 0.0.0.255 any
access-list 199 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
route-map ToSonicwall permit 5
match ip address 197
set ip default next-hop 10.1.1.1
!
route-map ToSonicwall permit 10
match ip address 199
set ip default next-hop 10.1.1.1
!
route-map ToSonicwall permit 20
match ip address 198
set ip next-hop 10.0.1.254
set ip default next-hop 10.0.1.254
This did not help - it just sends 192 traffic to the Internet.
Any help would be appreciated, Thanks!
08-06-2007 12:37 PM
The route-map (PBR) will take precedence over any dynamic or static routing implemented.
You have ACL 198 in the first example that states any traffic from 10.0.1.0/24 to any destination use gateway 10.0.1.254
If you don't want 10.0.1.0/24 to go via this gateway when trying to reach 192.168.10.0/24 network, you must create a deny in ACL 198
access-list 198 deny ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 198 permit ip 10.0.1.0 0.0.0.255 any
HTH,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide