Internet Only Vlan & Policy Routing

Unanswered Question
Apr 23rd, 2008
User Badges:

hi.


I have a quick question for and I was wondering if anyone could help.


I want to creat an Internet Only vlan for our Guests, which would save the cost of 4 DSL lines.


For example, our internal network is 172.17.0.0, and I want create VLAN 161 and assign 192.168.161.0/24 to "internet only network".

with a DFG of 172.17.74.22 which is another set of ASA's - Not our internal corporate DFG.



The access-list that I want to create would look like this:


ip acces-list extended Gust-internet-only

! Permit DHCP requests

permit udp any host 172.17.74.217 eq bootps

! Permit DNS Requests

permit udp 192.168.161.0 0.0.0.255 host 172.17.74.217 eq domain

! Permit access to the B2B Internet firewalls Inside Interface

permit ip 192.168.161.0 0.0.0.255 host 172.17.74.22

! Deny access to all other Internal PFFB Coprorate Resources with logging

deny ip any 172.17.0.0 0.255.255.255 log-input

! Permit "ALL" access to the Internet (add "log-input if we want to

see what's going on).


permit ip any any


Then apply this access-list to the VLAN interface:


int vl61

ip access-group internet-only in


The question I have is, how can I policy route 192.168.161.0/24 to the next hop of 172.17.74.22?


Thanks for your help.

Larry


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lacox3131 Thu, 04/24/2008 - 11:23
User Badges:

Serg hi,


Thanks for getting back to me and thats for the information. I've updated my configs can you please take look and tell me if I've missed anything;


interface Vlan161

description Internet-Only Test VLAN

ip address 192.168.161.1 255.255.255.0

ip helper-address 172.17.74.56

no ip redirects

ip rip advertise 180

ip access-group internet-only in




access-list 100 permit ip 192.168.161.0 0.0.0.255 host 172.17.74.22

!

route-map Internet-Only permit 10

match ip address 100

set ip default next-hop 172.17.74.22

!

ip acces-list extended internet-only

! Permit DHCP requests

permit udp any host 172.17.74.56 eq bootps

! Permit DNS Requests

permit udp 192.168.161.0 0.0.0.255 host 172.17.74.217 eq domain

! Permit access to the B2B Internet firewalls Inside Interface

permit ip 192.168.161.0 0.0.0.255 host 172.17.74.22

! Deny access to all other Internal PFFB Coprorate Resources with logging

deny ip any 172.17.0.0 0.255.255.255 log-input

! Permit "ALL" access to the Internet (add "log-input to monitor what's going on).


permit ip any any

t814687 Thu, 04/24/2008 - 12:44
User Badges:

some issues here:

1) Acl 100 should catch traffic you want PBR

so it should say permit to any


2) set ip next-hop 172.17.74.22


do not use "default" keyword here as if you use it the router will use the routing table to route if your next hop is available and will not PBR.


3) typo in route-map Internet-Only permit 10

route maps are case sensitive.

rest looks ok to me. try it out.


Also if you want users ping their default gateway you might want to deny that traffic in your acl 100 as I suspect the router will PBR traffic for local ping....something to think about..


serg

lacox3131 Thu, 04/24/2008 - 13:59
User Badges:

Serg hi,

I've updated the configs with the changes that you recommened, can you please give them one more look. One last question, I'm sure how I would update acl 100 to allow users to ping their default gatewway?



interface Vlan161

!description Internet-Only Test VLAN interface on 6509

ip address 192.168.161.1 255.255.255.0

ip helper-address 172.17.74.56

no ip redirects

ip rip advertise 180

ip access-group internet-only in

!

access-list 100 permit ip 192.168.161.0 0.0.0.255 any

!

route-map Internet-Only permit 10

match ip address 100

set ip next-hop 172.17.74.22

!

ip acces-list extended internet-only

! Permit DHCP requests

permit udp any host 172.17.74.56 eq bootps

! Permit DNS Requests

permit udp 192.168.161.0 0.0.0.255 host 172.17.74.217 eq domain

! Permit access to the B2B Internet firewalls Inside Interface

permit ip 192.168.161.0 0.0.0.255 host 172.17.74.22

! Deny access to all other Internal PFFB Coprorate Resources with logging

deny ip any 172.17.0.0 0.255.255.255 log-input

! Permit "ALL" access to the Internet (add "log-input monitor

what's going on)

!

permit ip any any


Thanks again for all your help!..




t814687 Thu, 04/24/2008 - 14:26
User Badges:

try

access-list 100 deny icmp 192.168.161.0 0.0.0.255 host 192.168.161.1 echo

access-list 100 permit ip 192.168.161.0 0.0.0.255 any

Actions

This Discussion