Solved: Re-route some internet sites via static routes to firewall

netguyz08 · ‎10-08-2014

A Cisco 1900 series router provides DHCP for a LAN and interfaces to the internet. Adding a firewall to one of the ports on the 1900 to route some internet sides through an IPSec tunnel to be resolved on the other end, and want to keep traffic to those sites along that VPN tunnel.

The firewall has a separate WAN connection.

The LAN is 192.168.2.x and considering 192.168.1.x for the interface on the 1900 to the firewall.

Would I redirect these public IPs with static routes to the interface that the firewall is connected on?

Since I never want these sites to go through the WAN on the 1900, are static routes the answer? Saw Policy Based Routing, but don't want to over complicate the setup.

And how can I ensure the traffic goes back from the other end and NAT's correctly to the LAN again?

Looking for examples, thanks.

ghostinthenet · ‎10-10-2014

If you're looking at making the decision based on the destination site, static routes are the way to go. Policy-based routing is what is used when standard routing falls down. eg. Routing based on source rather than destination, &c.

All you should need is:

ip route x.x.x.x m.m.m.m 192.168.1.y

Where x.x.x.x is the remote site's IPv4 network, m.m.m.m is the subnet mask of your route, and y is the last octet of the IPv4 address of your firewall on the 1900/Firewall network.

With a 192.168.1.0/24 network on the interface to the firewall, no NAT configuration should be required on the 1900 as this will be handled by the firewall.

The firewall will also need a static route back to your 192.168.0.0/24 network pointing to the IPv4 address of your 1900's 192.168.1.0/24 interface.

View solution in original post

ghostinthenet · ‎10-10-2014

If you're looking at making the decision based on the destination site, static routes are the way to go. Policy-based routing is what is used when standard routing falls down. eg. Routing based on source rather than destination, &c.

All you should need is:

ip route x.x.x.x m.m.m.m 192.168.1.y

Where x.x.x.x is the remote site's IPv4 network, m.m.m.m is the subnet mask of your route, and y is the last octet of the IPv4 address of your firewall on the 1900/Firewall network.

With a 192.168.1.0/24 network on the interface to the firewall, no NAT configuration should be required on the 1900 as this will be handled by the firewall.

The firewall will also need a static route back to your 192.168.0.0/24 network pointing to the IPv4 address of your 1900's 192.168.1.0/24 interface.

netguyz08 · ‎10-10-2014

Unfortunately it turns out the 1900 is limited by having only two ports on it. I ended up changing the firewall to 192.168.2.100, no gateway defined, and plugged it into the main switch on the LAN. Then kept the Cisco 1900 as a 192.168.2.1.

Haven't been able to get a static route to go over 192.168.2.100 yet, and wondering if I need to define the routes in the firewall to carry the traffic over? Like the public IP range to the firewall at the other side.

Or set the gateway to something for 192.168.2.100...?

ghostinthenet · ‎10-11-2014

The routing on the router should work either way, but the firewall will still need a gateway defined in order to reach the Internet. That may be the root of the problem at this point.

If you're going to route to 192.168.2.100 from the router's LAN interface, make sure "ip redirects" is configured on it to avoid unnecessary forwarding.