08-06-2002 01:27 PM - edited 03-02-2019 12:28 AM
I have 7 subnets using a 2600 as a core frame router. Everything works great, however, their are several users that need dedicated access to the web. We currenlty use a PIX515 firewall to protect our network.
In the 2600 we have NO default route speicifed becase all users must use a proxy server that we use to restrict internet access. Is there a way to add a default route the 2600 to our pix, and then speicify access-lists to say this workstation at this address is allowed to use the default route, otherwise, it drops the packet as undeliverable?
Thanx,
dennis
08-06-2002 05:35 PM
You could probably get the functionality you want by using policy routing to set the next hop only for particular addresses. Other addresses, which do not match, would revert to using the normal routing tables, which would have no default route, so would be dropped.
See the following USL for an example of policy routing -
08-07-2002 05:58 AM
I followed these instructions along with some others that was in the forums, however, I still can't get this to work correctly. Below is a snippit of my 2600 config.
Dennis
interface FastEthernet0/0
ip address 192.168.1.200 255.255.255.0
ip policy route-map set-default
no keepalive
duplex auto
speed auto
!
interface Serial0/0
bandwidth 1540000
no ip address
encapsulation frame-relay
service-module t1 remote-alarm-enable
frame-relay lmi-type cisco
!
interface Serial0/0.1 point-to-point
bandwidth 512000
ip unnumbered FastEthernet0/0
frame-relay interface-dlci 105
!
interface Serial0/0.2 point-to-point
bandwidth 512000
ip unnumbered FastEthernet0/0
frame-relay interface-dlci 110
!
interface Serial0/0.3 point-to-point
bandwidth 512000
ip unnumbered FastEthernet0/0
frame-relay interface-dlci 115
!
interface Serial0/0.4 point-to-point
bandwidth 512000
ip unnumbered FastEthernet0/0
frame-relay interface-dlci 120
!
interface Serial0/0.5 point-to-point
bandwidth 512000
ip unnumbered FastEthernet0/0
frame-relay interface-dlci 125
!
router rip
version 2
network 192.168.1.0
!
access-list 101 permit ip host 192.168.2.108 any
priority-list 1 protocol ip high tcp telnet
route-map set-default permit 10
match ip address 101
set ip next-hop 192.168.1.201
!
route-map set-default permit 20
set default interface Null0
!
08-07-2002 06:20 AM
Hi...
Just a thought, if you are using a Pix515, You could enter the following :
access-list inside permit tcp host [YOUR USER IP ADDRESS] any eq www
access-group inside in interface inside
And create a ACL on the 2600 for the specific users who are going to browse www all the time and point this to the pix515
HTH
Jay
08-08-2002 06:36 AM
I have been trying to use the policy's on the 2600 to match access-list 101 (having my laptop IP address). I want to leave the PIX alone, becase their are several workstations and servers on the main network that go directly to the PIX and have other routes added for the other sites. This works best for them. Any other suggestions? What am I doing wrong with my config?
Dennis
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide