04-23-2008 03:50 PM - edited 03-03-2019 09:40 PM
hi.
I have a quick question for and I was wondering if anyone could help.
I want to creat an Internet Only vlan for our Guests, which would save the cost of 4 DSL lines.
For example, our internal network is 172.17.0.0, and I want create VLAN 161 and assign 192.168.161.0/24 to "internet only network".
with a DFG of 172.17.74.22 which is another set of ASA's - Not our internal corporate DFG.
The access-list that I want to create would look like this:
ip acces-list extended Gust-internet-only
! Permit DHCP requests
permit udp any host 172.17.74.217 eq bootps
! Permit DNS Requests
permit udp 192.168.161.0 0.0.0.255 host 172.17.74.217 eq domain
! Permit access to the B2B Internet firewalls Inside Interface
permit ip 192.168.161.0 0.0.0.255 host 172.17.74.22
! Deny access to all other Internal PFFB Coprorate Resources with logging
deny ip any 172.17.0.0 0.255.255.255 log-input
! Permit "ALL" access to the Internet (add "log-input if we want to
see what's going on).
permit ip any any
Then apply this access-list to the VLAN interface:
int vl61
ip access-group internet-only in
The question I have is, how can I policy route 192.168.161.0/24 to the next hop of 172.17.74.22?
Thanks for your help.
Larry
04-24-2008 08:00 AM
Larry, just create an ACL that will match your source subnet and set next hop to your 172.17.74.22 and make sure the return traffic comes back symmetrically to that ASA.
take a look here, hope it will help....
http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml
serg
04-24-2008 11:23 AM
Serg hi,
Thanks for getting back to me and thats for the information. I've updated my configs can you please take look and tell me if I've missed anything;
interface Vlan161
description Internet-Only Test VLAN
ip address 192.168.161.1 255.255.255.0
ip helper-address 172.17.74.56
no ip redirects
ip rip advertise 180
ip access-group internet-only in
access-list 100 permit ip 192.168.161.0 0.0.0.255 host 172.17.74.22
!
route-map Internet-Only permit 10
match ip address 100
set ip default next-hop 172.17.74.22
!
ip acces-list extended internet-only
! Permit DHCP requests
permit udp any host 172.17.74.56 eq bootps
! Permit DNS Requests
permit udp 192.168.161.0 0.0.0.255 host 172.17.74.217 eq domain
! Permit access to the B2B Internet firewalls Inside Interface
permit ip 192.168.161.0 0.0.0.255 host 172.17.74.22
! Deny access to all other Internal PFFB Coprorate Resources with logging
deny ip any 172.17.0.0 0.255.255.255 log-input
! Permit "ALL" access to the Internet (add "log-input to monitor what's going on).
permit ip any any
04-24-2008 12:44 PM
some issues here:
1) Acl 100 should catch traffic you want PBR
so it should say permit
2) set ip next-hop 172.17.74.22
do not use "default" keyword here as if you use it the router will use the routing table to route if your next hop is available and will not PBR.
3) typo in route-map Internet-Only permit 10
route maps are case sensitive.
rest looks ok to me. try it out.
Also if you want users ping their default gateway you might want to deny that traffic in your acl 100 as I suspect the router will PBR traffic for local ping....something to think about..
serg
04-24-2008 01:59 PM
Serg hi,
I've updated the configs with the changes that you recommened, can you please give them one more look. One last question, I'm sure how I would update acl 100 to allow users to ping their default gatewway?
interface Vlan161
!description Internet-Only Test VLAN interface on 6509
ip address 192.168.161.1 255.255.255.0
ip helper-address 172.17.74.56
no ip redirects
ip rip advertise 180
ip access-group internet-only in
!
access-list 100 permit ip 192.168.161.0 0.0.0.255 any
!
route-map Internet-Only permit 10
match ip address 100
set ip next-hop 172.17.74.22
!
ip acces-list extended internet-only
! Permit DHCP requests
permit udp any host 172.17.74.56 eq bootps
! Permit DNS Requests
permit udp 192.168.161.0 0.0.0.255 host 172.17.74.217 eq domain
! Permit access to the B2B Internet firewalls Inside Interface
permit ip 192.168.161.0 0.0.0.255 host 172.17.74.22
! Deny access to all other Internal PFFB Coprorate Resources with logging
deny ip any 172.17.0.0 0.255.255.255 log-input
! Permit "ALL" access to the Internet (add "log-input monitor
what's going on)
!
permit ip any any
Thanks again for all your help!..
04-24-2008 02:26 PM
try
access-list 100 deny icmp 192.168.161.0 0.0.0.255 host 192.168.161.1 echo
access-list 100 permit ip 192.168.161.0 0.0.0.255 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide