Tricky PBR

Unanswered Question
May 15th, 2008

I have PBR need that I am a little stumped on. Here is the scenario:

I have a host on the LAN that I would like to route all internet bound traffic to a "new" internet circuit, and all LAN bound traffic to be routed via LAN routing methods. No other hosts on the subnet, just this one host.

host: 10.9.100.25

gateway for LAN: 10.9.100.1

Gateway for Internet: 10.9.200.5

All other LAN subnets: 10/8

So I am stumped on how to change his defualt route to something other and route all 10/8 traffic to his LAN GW.

Thank you for any assistance with this.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
t814687 Thu, 05/15/2008 - 08:35

Hi Chuck, little schematic of your network will help us to recommend the right solution.

-serg

chuckholley Thu, 05/15/2008 - 09:24

Thanks guys,

Here is a logical of the environment, I basically need to change the default route for this one user to the new NAT firewall to go to the new internet, and make sure he can still get to the corporate network.

Attachment: 
Ahmede Thu, 05/15/2008 - 09:36

You can create PBR, and attach it to the interface 10.9.100.1,

in the PBR,

deny 10.0.0.0 0.255.255.255

permit any

Then next hop to the NAT firewall..

HTH..

Ahmed

chuckholley Thu, 05/15/2008 - 09:58

So the PBR would do the deny or the ACL? I would deny 10.9.100.5 to all 10/8, then the next hop to the NAT firewall?

t814687 Thu, 05/15/2008 - 10:08

This statement makes sure the traffic is routed (that's why "deny" is there) to your 10/8 and policy routed (permit any) to the new internet. Should work fine.

-serg

chuckholley Thu, 05/15/2008 - 10:23

OK, here is exactly what I have, and it is not working at the moment:

ACL:

10 deny ip host 10.9.100.5 10.0.0.0 0.255.255.255

20 permit ip host 10.9.100.5 any

Route-Map:

route-map Chuck permit 10

match ip address Chuck

set ip next-hop 10.9.99.5

Thanks

t814687 Thu, 05/15/2008 - 10:28

did you apply this map to the router interface where your host is connected?

-serg

chuckholley Thu, 05/15/2008 - 10:32

yes, had to ask though right!

interface Vlan100

ip address 10.9.100.4 255.255.255.0

ip helper-address 10.9.43.13

no ip redirects

ip policy route-map Chuck

standby 1 ip 10.9.100.1

standby 1 priority 110

standby 1 preempt

end

t814687 Thu, 05/15/2008 - 10:36

And your acl is named "Chuck" ?

do you see any hits on the acl?

chuckholley Thu, 05/15/2008 - 10:43

The name of the acl is Chuck, and it is very strange, I see 3 hits on the deny, and none on the permit.

t814687 Thu, 05/15/2008 - 11:02

So you generating traffic to the internet and see no hits on permit? can you check your new firewall if the traffic makes there and it allows that host to go out?

can you connect to 10/8 network?

what switch you using?

can you debug pbr ?

t814687 Thu, 05/15/2008 - 11:33

keep in mind for certain switch types (3750 for example) you can not use deny statementd in PBR ACLs... in this case you have to do an explicit route map statement and forward traffic to your 10/8 vlan interface.

chuckholley Thu, 05/15/2008 - 12:31

Thanks, this is working. We had a nat issue on our FWSM, but that is resolved not and we are surfing out the new internet.

Many Thanks!

chuckholley Thu, 05/15/2008 - 10:32

yes, had to ask though right!

interface Vlan100

ip address 10.9.100.4 255.255.255.0

ip helper-address 10.9.43.13

no ip redirects

ip policy route-map Chuck

standby 1 ip 10.9.100.1

standby 1 priority 110

standby 1 preempt

end

Actions

This Discussion