Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1020
Views
0
Helpful
5
Replies

Internet Only Vlan & Policy Routing

lacox3131
Level 1
Level 1

‎04-23-2008 03:50 PM - edited ‎03-03-2019 09:40 PM

hi.

I have a quick question for and I was wondering if anyone could help.

I want to creat an Internet Only vlan for our Guests, which would save the cost of 4 DSL lines.

For example, our internal network is 172.17.0.0, and I want create VLAN 161 and assign 192.168.161.0/24 to "internet only network".

with a DFG of 172.17.74.22 which is another set of ASA's - Not our internal corporate DFG.

The access-list that I want to create would look like this:

ip acces-list extended Gust-internet-only

! Permit DHCP requests

permit udp any host 172.17.74.217 eq bootps

! Permit DNS Requests

permit udp 192.168.161.0 0.0.0.255 host 172.17.74.217 eq domain

! Permit access to the B2B Internet firewalls Inside Interface

permit ip 192.168.161.0 0.0.0.255 host 172.17.74.22

! Deny access to all other Internal PFFB Coprorate Resources with logging

deny ip any 172.17.0.0 0.255.255.255 log-input

! Permit "ALL" access to the Internet (add "log-input if we want to

see what's going on).

permit ip any any

Then apply this access-list to the VLAN interface:

int vl61

ip access-group internet-only in

The question I have is, how can I policy route 192.168.161.0/24 to the next hop of 172.17.74.22?

Thanks for your help.

Larry

Labels:
0 Helpful
5 Replies 5

t814687
Level 1
Level 1

‎04-24-2008 08:00 AM

Larry, just create an ACL that will match your source subnet and set next hop to your 172.17.74.22 and make sure the return traffic comes back symmetrically to that ASA.

take a look here, hope it will help....

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml

serg

0 Helpful

lacox3131
Level 1
Level 1
In response to t814687

‎04-24-2008 11:23 AM

Serg hi,

Thanks for getting back to me and thats for the information. I've updated my configs can you please take look and tell me if I've missed anything;

interface Vlan161

description Internet-Only Test VLAN

ip address 192.168.161.1 255.255.255.0

ip helper-address 172.17.74.56

no ip redirects

ip rip advertise 180

ip access-group internet-only in

access-list 100 permit ip 192.168.161.0 0.0.0.255 host 172.17.74.22

!

route-map Internet-Only permit 10

match ip address 100

set ip default next-hop 172.17.74.22

!

ip acces-list extended internet-only

! Permit DHCP requests

permit udp any host 172.17.74.56 eq bootps

! Permit DNS Requests

permit udp 192.168.161.0 0.0.0.255 host 172.17.74.217 eq domain

! Permit access to the B2B Internet firewalls Inside Interface

permit ip 192.168.161.0 0.0.0.255 host 172.17.74.22

! Deny access to all other Internal PFFB Coprorate Resources with logging

deny ip any 172.17.0.0 0.255.255.255 log-input

! Permit "ALL" access to the Internet (add "log-input to monitor what's going on).

permit ip any any

0 Helpful

t814687
Level 1
Level 1
In response to lacox3131

‎04-24-2008 12:44 PM

some issues here:

1) Acl 100 should catch traffic you want PBR

so it should say permit to any

2) set ip next-hop 172.17.74.22

do not use "default" keyword here as if you use it the router will use the routing table to route if your next hop is available and will not PBR.

3) typo in route-map Internet-Only permit 10

route maps are case sensitive.

rest looks ok to me. try it out.

Also if you want users ping their default gateway you might want to deny that traffic in your acl 100 as I suspect the router will PBR traffic for local ping....something to think about..

serg

0 Helpful

lacox3131
Level 1
Level 1
In response to t814687

‎04-24-2008 01:59 PM

Serg hi,

I've updated the configs with the changes that you recommened, can you please give them one more look. One last question, I'm sure how I would update acl 100 to allow users to ping their default gatewway?

interface Vlan161

!description Internet-Only Test VLAN interface on 6509

ip address 192.168.161.1 255.255.255.0

ip helper-address 172.17.74.56

no ip redirects

ip rip advertise 180

ip access-group internet-only in

!

access-list 100 permit ip 192.168.161.0 0.0.0.255 any

!

route-map Internet-Only permit 10

match ip address 100

set ip next-hop 172.17.74.22

!

ip acces-list extended internet-only

! Permit DHCP requests

permit udp any host 172.17.74.56 eq bootps

! Permit DNS Requests

permit udp 192.168.161.0 0.0.0.255 host 172.17.74.217 eq domain

! Permit access to the B2B Internet firewalls Inside Interface

permit ip 192.168.161.0 0.0.0.255 host 172.17.74.22

! Deny access to all other Internal PFFB Coprorate Resources with logging

deny ip any 172.17.0.0 0.255.255.255 log-input

! Permit "ALL" access to the Internet (add "log-input monitor

what's going on)

!

permit ip any any

Thanks again for all your help!..

0 Helpful

t814687
Level 1
Level 1
In response to lacox3131

‎04-24-2008 02:26 PM

try

access-list 100 deny icmp 192.168.161.0 0.0.0.255 host 192.168.161.1 echo

access-list 100 permit ip 192.168.161.0 0.0.0.255 any

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card