03-02-2010 08:20 AM - edited 03-06-2019 09:57 AM
Hey Guys,
So I'm about to throw up some policy based routing on my core switch and wanted to ask for a second pair of eyes on my config so I don't really mess things up. This is what I'm planning to throw on my 4507 to send traffic for my specific host to ip 10.66.x.65. Do I have the ACLs done correctly? Am I applying it to the right interface? vlan50 is my dg.
Extended IP access list acl-routeASA
10 deny ip any 10.0.0.0 0.255.255.255
20 deny ip any 192.168.0.0 0.0.255.255
30 deny ip any 172.16.0.0 0.15.255.255
40 deny ip any 206.xxx.xxx.0 0.0.0.255
50 deny ip any 206.xxx.xxx.0 0.0.0.255
60 deny ip any 172.xx.0.0 0.0.255.255
70 deny ip any 172.xx.0.0 0.0.255.255
80 deny ip any 172.xx.0.0 0.0.255.255
100 permit ip any host 10.66.4.57
200 deny ip any any
route-map routeASA permit 10
match ip address acl-routeASA
set ip next-hop 10.66.x.xx
int vlan50
ip policy route-map routeASA
03-02-2010 08:24 AM
b.rockburn wrote:
Hey Guys,
So I'm about to throw up some policy based routing on my core switch and wanted to ask for a second pair of eyes on my config so I don't really mess things up. This is what I'm planning to throw on my 4507 to send traffic for my specific host to ip 10.66.x.65. Do I have the ACLs done correctly? Am I applying it to the right interface? vlan50 is my dg.
Extended IP access list acl-routeASA
10 deny ip any 10.0.0.0 0.255.255.255
20 deny ip any 192.168.0.0 0.0.255.255
30 deny ip any 172.16.0.0 0.15.255.255
40 deny ip any 206.xxx.xxx.0 0.0.0.255
50 deny ip any 206.xxx.xxx.0 0.0.0.255
60 deny ip any 172.xx.0.0 0.0.255.255
70 deny ip any 172.xx.0.0 0.0.255.255
80 deny ip any 172.xx.0.0 0.0.255.255
100 permit ip any host 10.66.4.57
200 deny ip any anyroute-map routeASA permit 10
match ip address acl-routeASA
set ip next-hop 10.66.x.xx
int vlan50
ip policy route-map routeASA
Brent
Can you clarify exactly what you want the PBR to do ie.
permit ip any host 10.66.4.57
will result in any traffic from any source coming on in on vlan 50 will be sent to the next-hop IP of 10.66.x.x in your route-map ?
Edit - also what are all the rest of the lines in the acl meant to be doing ?
Jon
03-02-2010 08:28 AM
Hey Jon,
Sorry, should have clearified
I'm testing out PBR. This is supposed to allow only my IP address to go to the asa, while keeping all over thraffic passing normally throw the other paths.
I am removing a sonic firewall and I want to start to slowly point traffic to my ASA. I'm hoping this will do it,.
03-02-2010 08:32 AM
b.rockburn wrote:
Hey Jon,
Sorry, should have clearified
I'm testing out PBR. This is supposed to allow only my IP address to go to the asa, while keeping all over thraffic passing normally throw the other paths.
I am removing a sonic firewall and I want to start to slowly point traffic to my ASA. I'm hoping this will do it,.
Brent
That's what confusing me ie.
permit ip any host 10.66.4.57
shouldn't that be -
permit ip host 10.66.4.57 any
What is your host address and what is 10.66.4.57 ?
Jon
03-02-2010 08:38 AM
yeah, sorry that's right ..
Should look more like this
Extended IP access list acl-routeASA
10 deny ip 10.0.0.0 0.255.255.255 any
20 deny ip 192.168.0.0 0.0.255.255 any
30 deny ip 172.16.0.0 0.15.255.255 any
40 deny ip 206.xxx.xxx.0 0.0.0.255 any
50 deny ip 206.xxx.xxx.0 0.0.0.255 any
60 deny ip 172.xx.0.0 0.0.255.255 any
70 deny ip 172.xx.0.0 0.0.255.255 any
80 deny ip 172.xx.0.0 0.0.255.255 any
100 permit ip host 10.66.4.57 any
03-02-2010 08:44 AM
b.rockburn wrote:
yeah, sorry that's right ..
Should look more like this
Extended IP access list acl-routeASA
10 deny ip 10.0.0.0 0.255.255.255 any
20 deny ip 192.168.0.0 0.0.255.255 any
30 deny ip 172.16.0.0 0.15.255.255 any
40 deny ip 206.xxx.xxx.0 0.0.0.255 any
50 deny ip 206.xxx.xxx.0 0.0.0.255 any
60 deny ip 172.xx.0.0 0.0.255.255 any
70 deny ip 172.xx.0.0 0.0.255.255 any
80 deny ip 172.xx.0.0 0.0.255.255 any
100 permit ip host 10.66.4.57 any
Okay, that makes more sense. You don't need the other lines though because if there is no match in the acl then the traffic is routed normally. So assuming your host is 10.66.4.57 and the traffic from your host arrives on the vlan 50 interface of the 4500 your acl can simply be -
permit ip host 10.66.4.57 any
Jon
03-02-2010 09:03 AM
Ok .. so
Here is how I've rearranged things ... let me know what you think. I know the other lines under 10 don't need to be there buit I put them in just to give a visual of what's going on.
This should only affect my IP address and send me to the ASA which is 10.66.x.xx (ip next-hop) when I do a trace the vlan50 ip is my first hop so I know I'm coming in on that interface.
Extended IP access list acl-routeASA
10 permit ip host 10.66.4.57 any
20 deny ip 192.168.0.0 0.0.255.255 any
30 deny ip 172.16.0.0 0.15.255.255 any
40 deny ip 206.xxx.xxx.0 0.0.0.255 any
50 deny ip 206.xxx.xxx.0 0.0.0.255 any
60 deny ip 172.xx.0.0 0.0.255.255 any
70 deny ip 172.xx.0.0 0.0.255.255 any
80 deny ip 172.xx.0.0 0.0.255.255 any
90 deny ip 10.0.0.0 0.255.255.255 any
route-map routeASA permit 10
match ip address acl-routeASA
set ip next-hop 10.66.x.xx
int vlan50
ip policy route-map routeASA
03-02-2010 09:06 AM
b.rockburn wrote:
Ok .. so
This should only affect my IP address and send me to the ASA which is 10.66.x.xx (ip next-hop) when I do a trace the vlan50 ip is my first hop so I know I'm coming in on that interface.
Extended IP access list acl-routeASA
10 permit ip host 10.66.4.57 any
20 deny ip 192.168.0.0 0.0.255.255 any
30 deny ip 172.16.0.0 0.15.255.255 any
40 deny ip 206.xxx.xxx.0 0.0.0.255 any
50 deny ip 206.xxx.xxx.0 0.0.0.255 any
60 deny ip 172.xx.0.0 0.0.255.255 any
70 deny ip 172.xx.0.0 0.0.255.255 any
80 deny ip 172.xx.0.0 0.0.255.255 any
90 deny ip 10.0.0.0 0.255.255.255 anyroute-map routeASA permit 10
match ip address acl-routeASA
set ip next-hop 10.66.x.xx
int vlan50
ip policy route-map routeASA
Yes that should work fine, again assuming your host is 10.66.4.57.
For testing it's fine to leave those lines in if you want but i wouldn't do this for production. There is an implicit deny at the end of every acl so if i saw this acl i would wonder why those lines were there.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: