04-16-2004 05:02 AM - edited 03-02-2019 03:02 PM
I have a small IP subnet in a VLAN and for security reasons I need it to only see the other side of the firewall (Internet). What command would I use to route this out? To make it easy it will be static IP and use a host table instead of DHCP and DNS.
04-16-2004 05:15 AM
You could use Policy Based Routing (PBR) to force all traffic coming from that subnet to be forwarded to the FW regardless of what the routing table looks like.
Here's a link to the PBR documentation:
Hope this helps,
04-26-2004 04:23 AM
I don't think I'm doing this correct.
I made a route map:
route-map Int_gateway permit 10
set ip next-hop <###.###.###.###> <###.###.###.###> <###.###.###.###> <###.###.###.###>
then pulled it into the VLAN:
interface Vlan505
description PHARMACY MCKESSON SYSTEM
ip address #.#.#.65 255.255.255.240
ip access-group 187 in
ip access-group 188 out
no ip redirects
ip policy route-map Int_gateway
standby ip #.#.#.67
standby priority 120
standby preempt
in the map I listed every next hop till the traffic was out of the firewall but it seems to ignore the path. What am I doing wrong?
04-26-2004 04:47 AM
I was under the assumption that this router was directly connected to the FW.
Do you mean that the router is not directly connected to the FW and that you specified each and every hop bw the router and the FW in the "set ip next-hop". If so, this is not going to work.
You would basically need to either implement PBR on every router int the path to the FW or use a tunnel between the ingress router and the egress router and then use PBR just on these two devices.
Let me know if that answers your question,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide