firewall connected to EMI 3550 switch.
The ip route command on EMI 3550 is:
ip route 0.0.0.0 0.0.0.0 10.10.10.1
where 10.10.10.1 is the inside interface of firewall and is the gateway of last resort.now, i connected another cable from same switch to dmz interface of same firewall.i want certain ip subnet (for example 220.127.116.11 to use this as default gateway). can i just type:
ip route 18.104.22.168 255.255.0.0 22.214.171.124 (where 126.96.36.199 is the ip address of dmz interface of firewall).
im confused in general with ip route command. if i have other internal networks like 5 different vlans with different subnets, can i specify these in ip route command and tell them what their default gateway will be?
how many ip routes are possible anyway.
The "ip route" command expects the following input (in the most simple sense):
If you want to route based on source address, you would need to implement policy-based routing.
If you wish to change the default gateway for the hosts, I suggest just setting that through DHCP.
I posted this earlier.. that's the way to get this to work:
What you need is policy-based routing. Here's my first stab at a potential config:
ip policy route-map INSIDE_PBR
ip policy route-map INSIDE_PBR
ip policy route-map DMZ_PBR
route-map DMZ_PBR permit 10
set ip default next-hop 188.8.131.52
route-map INSIDE_PBR permit 10
set ip default next-hop 184.108.40.206
Explanation: for traffic destined to the Internet and coming in through the interfaces above, the route-map will kick in and force it to go via the specified next-hop. For all non-Internet traffic, the standard destination-based routing will occur. As for the default route on the switch, leave it as whatever it is - it will only affect traffic originating from the switch itself.
Hope that helps - pls rate the post if it does.
Thanks for the above. I tried it out. It seems to work and the only reason i know is because when i ping from computers in dmz they cannot reach the inside interface and like wise when i ping computers in vlans 2 and 3, they cannot reach the dmz interface. HOWEVER,
what really is annoying me like never before is the fact that unless i specify 220.127.116.11 for instance to be the gateway of last resort or in the sense ip route 0.0.0.0 0.0.0.0 18.104.22.168, i cannot get the inside vlans (2 and 3) to actually reach the internet. This is also a problem because they can reach it through there, BUT the computers on dmz cannot reach internet!
From what you described, it seems as if PBR is not working. Would you be able to post the relevant bits of your config ?
Another thing is that the default next-hop command is not available with the 12.1 software it seems, so i couldn't use it, but yes, the pbr did not work...again, to this day, it seems that the only reason the net will work is because il put the gateway of last resort to point to the inside interface of firewall...i will have to post it tomorrow as i've left work, although, if you could shed some light on this gateway of last resort, id appreciate it...
Early morning start...back to work...to basically summarise for you, this is the outcome of show ip route on the switch connected to the firewall:
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 22.214.171.124 to network 0.0.0.0
C 126.96.36.199/24 is directly connected, FastEthernet0/1
C 188.8.131.52/16 is directly connected, Vlan2
10.0.0.0/29 is subnetted, 1 subnets
C 10.30.30.248 is directly connected, Vlan10
C 184.108.40.206/24 is directly connected, FastEthernet0/5
10.0.0.0/24 is subnetted, 1 subnets
C 10.60.46.0 is directly connected, Vlan4
S* 0.0.0.0/0 [1/0] via 220.127.116.11
C 192.168.0.0/16 is directly connected, Vlan3
BUT, I dont think/want this gateway of last resort! The only reason the bloody internet works for internal networks is because of this!
I applied the pbr_inside to vlans 2 and 3 and pbr_dmz to vlan 4.
Here's the info for above on the switch:
access-list 10 permit 18.104.22.168 0.0.0.255
access-list 20 permit 22.214.171.124 0.0.0.255
route-map pbr_inside permit 10
match ip address 10
set ip next-hop 126.96.36.199
route-map pbr_dmz permit 20
match ip address 20
set ip next-hop 188.8.131.52
So as you can see the 184.108.40.206 is the inside interface of firewall and 220.127.116.11 is the dmz interface of firewall...
man, i broke my head over these examples....hope you can help out!
Your access-list, I believe, is configured incorrectly. The purpose of the ACL is to determine which source IP to match and apply the PBR rule. It should read something like this.
access-list 10 permit 18.104.22.168 0.0.255.255
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 20 permit 10.60.46.0 0.0.0.255
Oh yes, indeed. I will try this. You mean to say that i need to specify the internal network in the access list and set the inside and dmz interface of firewall as the next hop. I will try that.
Question: would you recommend i just put in these static routes and follow pbr or would you go ahead with ospf routing protocol instead (or other dynamic routing protocols?)
I think im gonna cry! it worked! :) Thanks a mill mate...an obvious error, but was so frustrated earlier that i didnt notice it...
tell me, though, what is your suggestion? would u use this over dynamic routing (with ospf, rip2, etc?)
What device would the switch exchange routes with? Given your current configuration I dont believe you have a requirement for a dynamic routing protocol. IMHO, static routing with PBR is the optimal solution.
Your PBR next-hop IPs are directly connected routes in the route table. Assuming that your DMZ and internal firewall interface are up, dynamically learned or statically configured routes will not influence your policy routes. If one of the interfaces were to go down the switch would use the route table to make a routing decision. In other words if the switches DMZ interface entered a down state, packets sourced from 10.60.46.0/24 network would no longer use the policy and a decision would be made based on the route table.
Thanks for the reply. Sorry i couldn't reply earlier.Yes, what you said makes sense. The policy will take precedence over the routing table, unless an interface goes down. Thanks for everything again. Cheers.