Re: Restricting default route traffice to several machines on WA

dmburgess · ‎08-06-2002

I have 7 subnets using a 2600 as a core frame router. Everything works great, however, their are several users that need dedicated access to the web. We currenlty use a PIX515 firewall to protect our network.

In the 2600 we have NO default route speicifed becase all users must use a proxy server that we use to restrict internet access. Is there a way to add a default route the 2600 to our pix, and then speicify access-lists to say this workstation at this address is allowed to use the default route, otherwise, it drops the packet as undeliverable?

Thanx,

dennis

rsissons · ‎08-06-2002

You could probably get the functionality you want by using policy routing to set the next hop only for particular addresses. Other addresses, which do not match, would revert to using the normal routing tables, which would have no default route, so would be dropped.

See the following USL for an example of policy routing -

http://www.cisco.com/warp/public/105/36.html

dmburgess · ‎08-07-2002

I followed these instructions along with some others that was in the forums, however, I still can't get this to work correctly. Below is a snippit of my 2600 config.

Dennis

interface FastEthernet0/0

ip address 192.168.1.200 255.255.255.0

ip policy route-map set-default

no keepalive

duplex auto

speed auto

!

interface Serial0/0

bandwidth 1540000

no ip address

encapsulation frame-relay

service-module t1 remote-alarm-enable

frame-relay lmi-type cisco

!

interface Serial0/0.1 point-to-point

bandwidth 512000

ip unnumbered FastEthernet0/0

frame-relay interface-dlci 105

!

interface Serial0/0.2 point-to-point

bandwidth 512000

ip unnumbered FastEthernet0/0

frame-relay interface-dlci 110

!

interface Serial0/0.3 point-to-point

bandwidth 512000

ip unnumbered FastEthernet0/0

frame-relay interface-dlci 115

!

interface Serial0/0.4 point-to-point

bandwidth 512000

ip unnumbered FastEthernet0/0

frame-relay interface-dlci 120

!

interface Serial0/0.5 point-to-point

bandwidth 512000

ip unnumbered FastEthernet0/0

frame-relay interface-dlci 125

!

router rip

version 2

network 192.168.1.0

!

access-list 101 permit ip host 192.168.2.108 any

priority-list 1 protocol ip high tcp telnet

route-map set-default permit 10

match ip address 101

set ip next-hop 192.168.1.201

!

route-map set-default permit 20

set default interface Null0

!

jmia · ‎08-07-2002

Hi...

Just a thought, if you are using a Pix515, You could enter the following :

access-list inside permit tcp host [YOUR USER IP ADDRESS] any eq www

access-group inside in interface inside

And create a ACL on the 2600 for the specific users who are going to browse www all the time and point this to the pix515

HTH

Jay

dmburgess · ‎08-08-2002

I have been trying to use the policy's on the 2600 to match access-list 101 (having my laptop IP address). I want to leave the PIX alone, becase their are several workstations and servers on the main network that go directly to the PIX and have other routes added for the other sites. This works best for them. Any other suggestions? What am I doing wrong with my config?

Dennis

Restricting default route traffice to several machines on WAN