10-26-2008 06:03 AM - edited 03-04-2019 12:04 AM
we have OSPF configured in our network - The complete network is in OSPF Area 0. within Area 0 there are eight class C subnets each, with 4 (class c subnets) each dedicated for two different companies which part of the same group of EST.
The scenario demands 2 ASA firewall connected to different ISPs - I have configured ASA firewall subnets to be part of ospf area 0 and have injected default routes from each firewall into the OSPF domain with "default information originate always" command.
1. Now there are two default routes advertised within the same OSPF domain.
2. I have to configure the first 4 class C subnets to take the route of ASA Firewall 1 to access the Internet and the remaining 4 class C subnets shall take the other default route to access the Internet.
192.168.0.0/22 area 0
192.168.4.0/22 area 0
192.168.5.0/24 area 0
0.0.0.0 0.0.0.0 192.168.5.50
0.0.0.0 0.0.0.0 192.168.5.100
*192.168.5.50 is the inside interface of firewall 1 & 192.168.5.100 is the inside interface of firewall 2.
Task
-----
source 192.168.0.0/22 shall take 0.0.0.0 0.0.0.0 192.168.5.50 &
Source 192.168.4.0/22 shall take 0.0.0.0 0.0.0.0 192.168.5.100
I would appreciate any suggestion on how to configure PBR in such a scenario.
Thanks & Regards,
10-26-2008 11:30 AM
If you have a L3 switch or router behind ASA's you can make it simple, probably something like this with this suggestion, im sure there may be other suggestions by others, and perhaps knowing what routing product you have behind asa's would also help.
in router or l3 switch behind firewalls do the policy route there.
route-map outbound_fw_1 permit 10
description outbound_traffic Via ISP_1
match ip address 1
set ip default next-hop 192.168.5.50
route-map outbound_fw_2 permit 20
description outbound_traffic Via ISP_2
match ip address 2
set ip default next-hop 192.168.5.100
interface vlan (XXX)
ip address 192.168.0.X 255.255.252.0
ip policy route-map outbound_fw_1
interface vlan (YYY)
ip address 192.168.4.Y 255.255.252.0
ip policy route-map outbound_fw_2
this acl will cause source nets 0,1,2 and 3 go via fw1
access-list 1 permit 192.168.0.0 0.0.3.255 log
and this acl will cause source nets 4,5,6 and 7 go via fw2
access-list 2 permit 192.168.4.0 0.0.3.255 log
in asa fw_1
global (outside) 1 interface
global (outside) 2
nat (inside) 2 192.168.0.0 255.255.252.0
nat (inside) 1 0 0
in asa fw_2
global (outside) 1 interface
global (outside) 2
nat (inside) 2 192.168.4.0 255.255.252.0
nat (inside) 1 0 0
HTH
Jorge
10-27-2008 10:24 AM
HI Jorge,
Thanks for your valuable feedback..
I have one more complexity in our network which is...
The subnets specified earlier for PBR are sourced from Dist switches.. for ex.
192.168.0.0/22 area 0 ->Dist1->core1
192.168.3.0/22 area 0 ->Dist2->core1
The connectivity between dist & core is L3 with full redundancy and finally the subnet 192.168.50.0/24 is a SVI configured on core which connects both the firewalls with the IPs I have specified earlier.
Now the issue is that the subnets marked for PBR are learnt
by OSPF on the core, the same subnets shall have to be policy based routed.
Here I am not sure whether on which interface I shall apply Route-map policy??
I have four /30 subnets providing connectivity between Dist & Core.
Your advise is highly appreciated.
Thanks a lot,
Syed
10-27-2008 08:05 PM
Syed,
Can you provide diagram⦠If I understand correctly what is behind ASA1 and ASA2 is Core1 router, Dist1 and Dist2 switches have
192.168.0.0/22 192.168.4.0/22 SVI presumably doing HSRP ? ,if so the pbr should be applied on the SVIs in each dist1 and dist2 switches, you do not need to apply bpr in L3 links nor in the core because the target subnets are in the distribution switches.
prb simply dictates a next hop router or a defualt route to be taken for a particular SVI or hosts from that svi.
you could test as follows without affecting the whole subnet. Take a PC from 192.168.0.0/22 and give it an IP address of 192.168.0.50/22 for example this way you can test prb with only one host as supose to the whole subnet, do the pbr example I gave in my previous post but for the accless list 1 do as follows.
dist1 example
route-map outbound_fw_1 permit 10
description outbound_traffic Via ISP_1
match ip address 1
set ip default next-hop 192.168.5.50
interface vlan (XXX)
ip address 192.168.0.XZ 255.255.252.0
ip policy route-map outbound_fw_1
access-list 1 permit 192.168.0.50 log
dist2 example
route-map outbound_fw_1 permit 10
description outbound_traffic Via ISP_1
match ip address 1
set ip default next-hop 192.168.5.50
interface vlan (XXX)
ip address 192.168.0.XY 255.255.252.0
ip policy route-map outbound_fw_1
access-list 1 permit 192.168.0.50 log
then do a tracert from the PC to note path to take which should be 192.168.5.50 which is inside interface of FW1 , provided you allow outbund traceroute through the firewalls, also make sure ASA1 nats 192.168.0.0/22 network.
Rgds
Jorge
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: