10-10-2007 11:40 AM - edited 03-05-2019 07:00 PM
I have a need to bridge a B2B DMZ network to a small section of our internal company LAN. I am bridging the networks using a GRE tunnel that terminates at the router servicing the internal LAN segment.
The issue I have is to configure the end point router so that traffic exiting the tunnel interface can only be sent out the router interface for the LAN segment, and traffic from the LAN segment interface can only be sent out the Tunnel interface.
I believe I can do that using the following configuration:
Route-map tu0-to-fa0
Match interface tu0
Set interface fa0
Route-map fa0-to-tu0
Match interface fa0
Set interface tu0
Interface TU0
Description ? endpoint for GRE Tunnel
Ip policy route-map tu0-to-fa0
Interface FA0
Description ? Internal LAN segment
Ip policy route-map fa0-to-tu0
Interface FA0 also has an inbound ACL assigned to it for managing access to other internal network sites. I assume that the ACL will be processed before PBR is applied - Is this accurate?
If more information is required, please ask.
Thanks in advanced.
10-10-2007 12:07 PM
You are creating some confusion using the expression "bridging". If you really want to bridge traffic, create a bridge-group between LAN an Tunnel interfaces.
Otherwise you will be using routing (which is safer to use).
There is no need to "force" traffic both ways, what goes into the tunnel at one side will come out at the other. The bridge- or routing tables determine the rest.
Looking at your proposed setup, I get the impression that this is a fairly complex matter. It would be wise to configure this in a lab-setup before going live.
If this is a critical environment I would also consider hiring someone to assist with the setup. It would be my pleasure to do this for you but likely we are geographically too far apart.
regards,
Leo
10-10-2007 12:30 PM
Sorry, the choice of word bridging was a bad one. It was used in a generic sense just mean I need to get the two seperated networks to talk to each other.
The main issue is not getting traffic into or out of the tunnel, that's simple enough to setup.
The issue is more of a security related one, in that I do not wish traffic coming out of the tunnel on the end point router to be able to access anything else besides the resources on the Internal LAN segment. And the follow on to that is the need to ensure that traffic originating from the internal LAN segment can only access resources on the far end of the GRE tunnel.
I can think of serveral ways it can be done, including putting a firewall in place on the internal LAN segment and using a site-to-site VPN. I would like to avoid a solution that involves deploying additional equipment by using PBR if possible to achive the same result.
I was looking for some confirmation that the concept was sound before spending time labbing a possibly unsound design.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: