Solved: LAN Routing with two Firewalls

csco11049253 · ‎04-16-2008

We have a LAN router with two Firewalls (ASA & PIX) connected to it.

LAN Subnet - 192.168.75.0/24

Gateway & Router's Fa0/1 IP: 192.168.250/24

PIX Ethernet IP (Inside): 192.168.75.1/24

ASA Gig0/1 IP(Inside): 192.168.5.2/24

-----------------------------------------

Presently a default route is sending all the LAN traffic to PIX Inside Interface.

0.0.0.0 0.0.0.0 192.168.75.1

Here we want to add another default route on the same router pointing to ASA's Inside network.

0.0.0.0 0.0.0.0 192.168.5.2

-----------------------------------------

Question1- Can we use route-maps to route traffic to both the firewalls based on desination IP address.

Basic question is: Are the two default routes acceptable on a same router with PBR configured for

destination based routing?

-----------------------------------------

Jon Marshall · ‎04-16-2008

Apologies, my fault, missed the bit about the router.

My main question still stands though. How are you going to do PBR based on destination address.

Are there specific Internet addresses you want to route to via one of the links.

If you don't care which link they use then just add the 2 default routes and let the router take care of it. I'm assuming you will NAT to each public IP on the firewalls.

I'm not sure what PBR gives you here if it is just general Internet access. One other thing to ensure if you do just have 2 default-routes make sure that you have per-destination IP load-sharing or that could really confuse your firewalls.

Jon

View solution in original post

Jon Marshall · ‎04-16-2008

Depends on the switch but if it supports it yes you could use PBR for this. Couple of things

1) 2 default-routes on the L3 switch means it will use both paths so without PBR you will have no control over which firewalls the packets go to

2) If you are doing PBR on destination address then that suggests you know which subnets are reachable via each firewall. If that is the case why not just add the specific routes to the L3 switch instead of having 2 default routes.

Jon

csco11049253 · ‎04-16-2008

Thanks, let me make it more clear...

Firstly I am using L2 switch, the LAN subnet hits the gateway(192.168.75.250) on a cisco 2800 series router.

The default routes shall be added to the same router.

Internet services are running via both the firewalls and two Internet links are terminated from different ISPs on the outside interfaces of each Firewall (one MX record is with each ISP).

The scenario demands adding two default routes, in such a situation how best we can use PBR or route-maps? or will it ever work??

Jon Marshall · ‎04-16-2008

Apologies, my fault, missed the bit about the router.

My main question still stands though. How are you going to do PBR based on destination address.

Are there specific Internet addresses you want to route to via one of the links.

If you don't care which link they use then just add the 2 default routes and let the router take care of it. I'm assuming you will NAT to each public IP on the firewalls.

I'm not sure what PBR gives you here if it is just general Internet access. One other thing to ensure if you do just have 2 default-routes make sure that you have per-destination IP load-sharing or that could really confuse your firewalls.

Jon

csco11049253 · ‎04-16-2008

Thanks mate...

I've got what u have explained I think its pretty straight forward.

I think adding a static route towards one FW and a default route toward another one will solve it!!