cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
589
Views
0
Helpful
3
Replies

Route Map or Static route...

sterdnotshaken
Level 1
Level 1

It's me again... Sorry. Every thing that has been instructed (IE route map and such) is working great!... Before I implement this, Can someone confirm for me the answer to this question...

As stated in a previous thread, I have one 3725 router and 2 firewalls (checkpoint and sonicwall). I want all general users to be sent to the checkpoint T1 for internet and only privileged users to be sent to the Sonicwall Bonded T1 for internet... Thanks to the help of Jon and Laurent, I have the route maps working great to delineate this traffic as stated before...

My question is regarding static routes... I have an ACL that specifies the host ip address authorized for using the sonicwall connection and a next hop associating that ip with the sonicwall firewall. The issue is with regard to the checkpoint being the internet connection that all of our VPN tunnels terminate to. So I plan on using static routes to force all traffic that is destined for those subnets, even if they are a privileged user that the router forwards out the sonicwall, to be redirected out the checkpoint... Will static routes intervene in the route map association? in other words, with a privileged user, whose ip address is set in the ACL on the router to go only to the sonicwall for internet be redirected to the checkpoint if he/she is trying to access a subnet that static route routes?

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Steven

PBR will take precedence over a static route so your Sonicwall users will be sent to the Sonicwall for everything.

What you can do is add denies in the acl for the remote VPN tunnels so lets say the remote subnets for the VPN's are

172.16.5.0/24

172.16.6.0/24

and the people who access the sonicwall for internet connection are 192.168.5.0/24

access-list 101 deny ip 192.168.5.0 0.0.0.255 172.16.5.0 0.0.0.255

access-list 101 deny ip 192.168.5.0 0.0.0.255 172.16.6.0 0.0.0.255

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

Any traffic matching one of the deny lines in acl 101 will bypass PBR and use the routers routing table which is what you want.

Note - access-list 101 is the access-list you are using in your route-map for Sonicwall users.

You have to put the denies before the permit or it won't work.

You will obviously need to edit for your environment in terms of source IP addresses and destination VPN subnets.

Jon

View solution in original post

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

Steven

PBR will take precedence over a static route so your Sonicwall users will be sent to the Sonicwall for everything.

What you can do is add denies in the acl for the remote VPN tunnels so lets say the remote subnets for the VPN's are

172.16.5.0/24

172.16.6.0/24

and the people who access the sonicwall for internet connection are 192.168.5.0/24

access-list 101 deny ip 192.168.5.0 0.0.0.255 172.16.5.0 0.0.0.255

access-list 101 deny ip 192.168.5.0 0.0.0.255 172.16.6.0 0.0.0.255

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

Any traffic matching one of the deny lines in acl 101 will bypass PBR and use the routers routing table which is what you want.

Note - access-list 101 is the access-list you are using in your route-map for Sonicwall users.

You have to put the denies before the permit or it won't work.

You will obviously need to edit for your environment in terms of source IP addresses and destination VPN subnets.

Jon

Ah ah! "will bypass PBR and use the routers routing table" is exactly what I wanted to know.

Thanks Jon!

Steven

Sorry if i misunderstood - it will bypass if you make the changes i suggested.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: