cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1251
Views
10
Helpful
14
Replies

internet access a single host on a remote branch using different FW

bbb bbb
Level 1
Level 1

 

Dear Cisco Community ,

Hope everyone is well. Reaching out to ask your expertise with regards to this scenario.

Two sites: Main branch and Remote branch. Two firewall in the environment, FW01 serving as default route for all LAN traffic (VPN tunnel cloud DC, application access, and internet access). FW02 serves in publishing websites in DMZ Network to external client with corresponding public IP address range assigned to the organization.

There is a server in remote branch that requires to be publish for specific external client. How to route Server0 in remote branch to use FW02 as its route to reach internet. ?

 

bbbbbb_1-1698666688151.png

Appreciate your inputs and assistance.

Best regards,

 

 

14 Replies 14

Hi, 

You can use Policy based routing (PBR) on Core SW at Main Site, where you can match the source (server0) and destination(any or 0.0.0.0/0) and route the traffic to FW02.

M02@rt37
VIP
VIP

Hello @bbb bbb,

To route Server0 in the remote branch through FW02 for internet access while maintaining its access to the internal network, you can set up PBR on the router that connects the remote branch to the main branch.

--This configuration will direct traffic from Server0 matching an ACL to use FW02 as its route to reach the internet while allowing it to continue communicating with the internal network.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

BTW, from the posted information, PBR should only be, and is, needed on core L3 switch.

Dear @Joseph W. Doherty ,

on this scenario, multilayer switch 0 is a L3 switch and also as Core switch

"on this scenario, multilayer switch 0 is a L3 switch and also as Core switch"

Correct, and?

Dear @Joseph W. Doherty 

..and where the default static route is configured pointing to FW01.

Which PBR will (selectively) override.

Dear M02@rt37,

Default route is configured in Multilayer switch. and I will try to put PBR on egress interface of router1. Thank you for your suggestion.

Regards

For PBR to work you need to configure it on the ingress interface of the device that should perform the routing. In this case Switch0.

 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

You're welcome @bbb bbb 

Apply the route map to the interface through which traffic from Server0 exits the remote branch network.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

"Default route is configured in Multilayer switch. and I will try to put PBR on egress interface of router1. Thank you for your suggestion."

You can do that, but it won't help because your core switch is shown as next hop.

TorbjĆørn
Spotlight
Spotlight

You will need to solve this by implementing policy routing on Switch 0.

Policy routing works by matching incoming traffic with a route-map and setting outbound interface/next-hop for the traffic. Hence you can route traffic based on source IP like you are attempting to do here. It is however not very efficient. You can achieve what you want here with something like this:

access-list 101 permit ip host {server 0 ip} any 
!
route-map to-fw2 permit 10 match ip address 101 set ip next-hop {fw2 address}
!
interface {ingress interface}
ip policy route-map to-fw2

 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Dear @TorbjĆørn ,

Will try your suggestion to apply route-map on the interface on Multilayer switch 0 connecting to Router1.

Regards,

Review Cisco Networking for a $25 gift card