Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2006
Views
13
Helpful
26
Replies

Is PBR my answer?

Go to solution
sequoyatech
Level 1
Level 1

‎01-26-2010 07:34 AM - edited ‎03-06-2019 09:27 AM

I'm in the process of setting up a 3560G alongside an ASA 5505. What I'd like to do is have all traffic from vlan 10 to the internet be routed to 192.168.16.2 (the 'blue' inside interface), and all traffic from vlan 20 to the internet be routed to 192.168.17.2 (the 'green' inside interface), so that the traffic can be natted properly.  I'd also like to keep my interVLAN routing.  The problem is that currently, traffic from vlan 20 is being routed to 192.168.16.2 (which is on vlan 10) because of the route statement on the 3560, and the traffic doesn't get nat-translated.  Traffic from vlan 10 flows to the internet properly.  Is PBR on the switch my solution here?  How would I implement it?

My config looks similar to:

(3560)

interface vlan 10

ip address 192.168.16.1 255.255.255.0

interface vlan 20

ip address 192.168.17.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.16.2

(asa)

interface vlan 2

nameif outside

security-level 0

ip address 200.1.1.1 255.255.255.248


interface vlan 10

nameif blue

security-level 100

ip address 192.168.16.2 255.255.255.0

interface vlan 20

nameif green

security-level 100

ip address 192.168.17.2 255.255.255.0

global (outside) 1 interface

global (outside) 2 200.1.1.2

global (outside) 3 200.1.1.3

nat (blue) 1 192.168.16.0 255.255.255.0

nat (blue) 2 192.168.16.6 255.255.255.255

nat (green) 3 192.168.17.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 200.1.1.6 1

Labels:
0 Helpful
26 Replies 26

Go to solution
sachinraja
Level 9
Level 9
In response to sequoyatech

‎01-26-2010 10:25 AM

In that case you wouldnt require PBR right ? All packets hit your VLAN SVI, and are forwarded to the ASA inside interface (blue segment). ASA would then do a NAT for both the 16.x & 17.x outside on either the interface IP or 200.1.1.2 ! reverse traffic would come as expected through the firewall.. so simply you can remove the third NAT statement created for Green....

Raj

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to sequoyatech

‎01-26-2010 10:27 AM 

sequoyatech wrote:
Ah - in actuality, I don't have to for the 192.168.17.0/24 network.  It could use global 1.
edit - just saw your edit.  Can you elaborate?  As I said before, I appreciate everyone's patience. I'm doing my damndest to learn this stuff!

Actually i think we have all missed a trick here. Your original post said you wanted to route the traffic from the 2 vlans to different interfaces on the ASA because you wanted to make sure the traffic got Natted properly.

But you don't need 2 interfaces on the ASA for that ie. lets say you just have one inside interface - blue, then your NAT statements would just be -

nat (blue) 1 192.168.16.0 255.255.255.0

nat (blue) 2 192.168.16.6 255.255.255.255

nat (blue) 3 192.168.17.0 255.255.255.0

global (outside) 1 interface

global (outside) 2 200.1.1.2

global (outside) 3 200.1.1.3

So you definitely don't need PBR and you could if you wanted keep your existing NAT.

Or if you want to save a public IP just follow Raj's example.

Sometimes you just can't see the wood for the trees

Jon

0 Helpful

Go to solution
sequoyatech
Level 1
Level 1
In response to Jon Marshall

‎01-26-2010 12:59 PM

I will test it out and let you know.  Thanks!

0 Helpful

Go to solution
sachinraja
Level 9
Level 9
In response to sequoyatech

‎01-26-2010 10:17 AM

Hi Nathan

as said before

route-map vlan20 permit 10

match ip address 1

set ip next-hop 192.168.17.2

access-list 1 permit 192.168.17.0 0.0.0.255

or you can put an extended access-list specifying tcp port/destinatione tc

access-list 101 permit ip 192.168.17.0 0.0.0.255 any

Raj

0 Helpful

Go to solution
sequoyatech
Level 1
Level 1

‎01-27-2010 11:53 AM

Thanks to everyone for their help.  I used jon.marshall's method and it worked fine.  Helpful hint for anyone trying to solve the same problem - I did have to add a static route to the ASA for each network on the 3560 - for example,

route inside 192.168.17.0 255.255.255.0 192.168.1.2

where 192.168.1.2 is the routed port on the 3560.

0 Helpful

Go to solution
sachinraja
Level 9
Level 9
In response to sequoyatech

‎01-27-2010 12:00 PM

Yes Nathan

You are right ..  this is because 192.168.17.0 is no more a directly connected network, as it was before, and goes through the routed port to the BLUE network.. Any more VLANs you would add here, would need similar routing configuration.. but as said before, you might want to reconsider yourself having a seperate broadcast domain of /30 for your connection between the Switch and firewall.. just to isolate the firewall from local broadcasts and a very good design for future development

Internet router

|                         outside (security level 0)

Firewall ----------- > NAT for internal networks and a route back to L3 switch..

|                         inside (security level 100)

Layer 3 switch

|                          various VLAN SVI's

PC's

Raj

0 Helpful

Go to solution
sequoyatech
Level 1
Level 1
In response to sachinraja

‎01-27-2010 12:36 PM

Raj, if I'm understanding your post correctly, my solution implements that.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to sequoyatech

‎01-27-2010 12:50 PM 

sequoyatech wrote:
Raj, if I'm understanding your post correctly, my solution implements that.

Nathan

Based on your last post to me you have indeed implemented this solution. Glad you got it all working.

Jon

0 Helpful

Go to solution
sachinraja
Level 9
Level 9
In response to sequoyatech

‎01-27-2010 12:52 PM

Ahh... You are right.. Didnt notice the next hop interface IP address of your route for 192.168.17.x  (192.168.1.x) which is a dedicated layer 3 interface.... I was thinking that you had used the same vlan 10 interface (192.168.16.1, 192.168.16.2) interfaces to route the VLAN 20 traffic... it looks good now...

Thanks & Regards

Raj

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to sequoyatech

‎01-27-2010 12:03 PM 

sequoyatech wrote:
Thanks to everyone for their help.  I used jon.marshall's method and it worked fine.  Helpful hint for anyone trying to solve the same problem - I did have to add a static route to the ASA for each network on the 3560 - for example,
route inside 192.168.17.0 255.255.255.0 192.168.1.2
where 192.168.1.2 is the routed port on the 3560.

Nathan

Many thanks for getting back and letting us know.

So did you use just one public IP for both 192.168.16.x and 192.168.17.x addresses ?

And by the sounds of it you used just one link between the ASA and the switch ?

Just wanted to confirm for others who may read the post because i think it was a combination of Raj's suggestion (+5 Raj) and mine that was the final solution.

Jon

0 Helpful

Go to solution
sequoyatech
Level 1
Level 1
In response to Jon Marshall

‎01-27-2010 12:35 PM

Regarding NAT, I have it set so that 192.168.16.x and 17.x both use the same public, while 192.168.16.6 uses a second public.  There shouldn't be any issues if I were to want to assign 17.x its own public IP though.  To answer your second question, yes, I now have a single link - the inside interface of the ASA is 192.168.1.1, the routed port of the 3560 is 192.168.1.2.  The 192.168.1.x network does not exist anywhere other than on those two interfaces.

0 Helpful

Go to solution
sachinraja
Level 9
Level 9
In response to Jon Marshall

‎01-27-2010 12:53 PM

Jon.. thanks a ton for your comments, and the points... this is the best 5 pointer i have ever taken

Thanks again

Raj

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card