Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Force IP to jump out gateway.

I have a small IP subnet in a VLAN and for security reasons I need it to only see the other side of the firewall (Internet). What command would I use to route this out? To make it easy it will be static IP and use a host table instead of DHCP and DNS.

3 REPLIES
Cisco Employee

Re: Force IP to jump out gateway.

You could use Policy Based Routing (PBR) to force all traffic coming from that subnet to be forwarded to the FW regardless of what the routing table looks like.

Here's a link to the PBR documentation:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt2/1cfindep.htm#wp1001398

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: Force IP to jump out gateway.

I don't think I'm doing this correct.

I made a route map:

route-map Int_gateway permit 10

set ip next-hop <###.###.###.###> <###.###.###.###> <###.###.###.###> <###.###.###.###>

then pulled it into the VLAN:

interface Vlan505

description PHARMACY MCKESSON SYSTEM

ip address #.#.#.65 255.255.255.240

ip access-group 187 in

ip access-group 188 out

no ip redirects

ip policy route-map Int_gateway

standby ip #.#.#.67

standby priority 120

standby preempt

in the map I listed every next hop till the traffic was out of the firewall but it seems to ignore the path. What am I doing wrong?

Cisco Employee

Re: Force IP to jump out gateway.

I was under the assumption that this router was directly connected to the FW.

Do you mean that the router is not directly connected to the FW and that you specified each and every hop bw the router and the FW in the "set ip next-hop". If so, this is not going to work.

You would basically need to either implement PBR on every router int the path to the FW or use a tunnel between the ingress router and the egress router and then use PBR just on these two devices.

Let me know if that answers your question,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
89
Views
0
Helpful
3
Replies