Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2298
Views
0
Helpful
3
Replies

Two Firewalls on 2 Different Location One connected LAN

Go to solution
Wajma_2
Level 1
Level 1

‎07-28-2015 09:39 AM - edited ‎03-11-2019 11:20 PM

Hello,

We currently have to ASA 5500 on two different locations each connected to the Internet, One firewall is the primary gateway for internet bound traffic and configured with OSPF and a static route 0 0 to the Border Router and 1 metric. The LAN is interconnected in the two locations by Fiber. The Firewall on the Secondary Location currently does not route traffic and is used as standby in case if failure on primary location. The secondary firewall also runs OSPF with static route 0 0 and metric of 200.

I would like to route one of the VLANs traffic through the Secondary Firewall. this VLAN will be connected on one of the firewall interfaces. (please see attached).

I need help configuring this.

 

 

Thank you and best regads

Labels:
Preview file
38 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Traian Bratescu
Level 1
Level 1

‎07-28-2015 09:53 AM

Hi,

Could Policy Based Routing be used?

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/policy_based_routing_pbr.html

You would have to specify an ACL matching the source subnet of that particular VLAN; define a route-map where you would match that traffic; set ip next-hop The IP address towards your secondary AS; apply the policy on the VLAN interface.

Router(config)# route-map map-tag permit

Router(config-route-map)# match ip address {access-list-number | name}

Router(config-route-map)# set ip next-hop ip-address [... ip-address]

Router(config-route-map)# interface interface-type interface-number

Router(config-if)# ip policy route-map map-tag

 

Hope this helps,

Traian

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Traian Bratescu
Level 1
Level 1

‎07-28-2015 09:53 AM

Hi,

Could Policy Based Routing be used?

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/policy_based_routing_pbr.html

You would have to specify an ACL matching the source subnet of that particular VLAN; define a route-map where you would match that traffic; set ip next-hop The IP address towards your secondary AS; apply the policy on the VLAN interface.

Router(config)# route-map map-tag permit

Router(config-route-map)# match ip address {access-list-number | name}

Router(config-route-map)# set ip next-hop ip-address [... ip-address]

Router(config-route-map)# interface interface-type interface-number

Router(config-if)# ip policy route-map map-tag

 

Hope this helps,

Traian

0 Helpful

Go to solution
Wajma_2
Level 1
Level 1
In response to Traian Bratescu

‎07-28-2015 02:45 PM

Thank you for the response on this, however apparently route-map is redistricted by license. I do not have the set ip next-hop option. Is there any other way to do this.

 

Best regards

0 Helpful

Go to solution
Traian Bratescu
Level 1
Level 1
In response to Wajma_2

‎08-02-2015 02:32 PM

Sorry for the late reply... I can't think of any elegant solution. If this is a must and have no other means of doing it (upgrade, replace, etc) you could try to create a VRF for that specific VLAN and another interface towards your backup site an within that VRF point the default route...)

 

It's not by far an "elegant" solution but at least it would work....

Traian

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card