Hi,

Please see below the diagram. Hope it makes sense.

Hi Simon,

Thank you for your reply.

The company users are base on 10.146.0.0/16 range hence will it be possible to route the entire traffic for both these server groups?

Hi,

You asked if you could route tracffic received by each firewall back to their respective firewalls, not for the whole subnet.

My assumptions are you have an SVI shared across both cores running HSRP, hence you will need to do the following on both core's.  Levae the default route alone on both core's also.

Create an acl;

ip access-list extended PBR

permit ip host 10.134.117.19 10.146.0.0 255.255.0.0

permit ip host 10.134.117.20 10.146.0.0 255.255.0.0

permit ip host 10.134.117.21 10.146.0.0 255.255.0.0

Create a route-map

route-map PBR permit 10

match ip address PBR

set ip next-hop x.x.x.x (where x is the inside IP of public firewall)

On the servers SVI;

interface vlan 134

ip policy route-map PBR

That should do it.

Simon

Hi Simon,

I have setup the below access list for the company's network on our core switch 1

ip access-list extended ACL-Servers

permit ip host 192.168.55.114 10.146.0.0 0.0.255.255

permit ip host 192.168.55.12 10.146.0.0 0.0.255.255

permit ip host 192.168.55.129 10.146.0.0 0.0.255.255

permit ip host 192.168.50.209 10.146.0.0 0.0.255.255

permit ip host 192.168.50.170 10.146.0.0 0.0.255.255

permit ip host 192.168.50.175 10.146.0.0 0.0.255.255

permit ip host 192.168.50.178 10.146.0.0 0.0.255.255

permit ip host 192.168.50.179 10.146.0.0 0.0.255.255

permit ip host 192.168.50.181 10.146.0.0 0.0.255.255

permit ip host 192.168.37.254 10.146.0.0 0.0.255.255

route-map RM-Servers permit 10

match ip address ACL-Servers-Barnet

set ip next-hop 172.20.109.1 (IP address of the Company facing firewall)

!

route-map RM-Servers permit 20

CSW1(config)# do sh run int vlan 50

Building configuration...

Current configuration : 236 bytes

!

interface Vlan50

description Servers

ip address 192.168.50.1 255.255.255.0

ip helper-address 192.168.55.114

ip policy route-map RM-Servers

end

CSW1(config)# do sh run int vlan 55

Building configuration...

Current configuration : 199 bytes

!

interface Vlan55

ip address 192.168.55.1 255.255.255.0

ip helper-address 192.168.50.2

ip policy route-map RM-Servers

end

But still am unable to route the traffic for the above servers to 172.20.109.1.

The name of your acl and the acl specified in the route-map do not match.

Simon

Sorry my bad. I have amended it now but still no joy. Do i have to enable local policy for this?

I am getting packets matches but i can't see it hitting our firewall.

CSW1#sh route-map

route-map RM-Servers, permit, sequence 10

  Match clauses:

    ip address (access-lists): ACL-Servers-Barnet

  Set clauses:

    ip next-hop 172.20.109.1

  Policy routing matches: 4109 packets, 427523 bytes

route-map RM-Servers, permit, sequence 20

  Match clauses:

  Set clauses:

  Policy routing matches: 155487 packets, 17976974 bytes

Show ip route 172.20.109.1 ?

Does the firewall have a route back to the 10.146.0. subnet also over the internet ?

Simon

CSW1#sh ip route 172.20.109.1

Routing entry for 172.20.109.0/30

  Known via "static", distance 1, metric 0

  Redistributing via eigrp 200, ospf 1

  Advertised by eigrp 200

                ospf 1 subnets

  Routing Descriptor Blocks:

  * 192.168.50.2

      Route metric is 0, traffic share count is 1

Yes the fiewall has a route outside 0.0.0.0 0.0.0.0 10.146.120.201 1

Sh run | inc ip route

Your firewall IP is in the same subnet as the servers?

Cheers

No the firewall isn't on the same subnet but there is a route from the core switch to this firewall.

Sent from Cisco Technical Support iPad App