Re: internet access a single host on a remote branch using different F

bbb bbb · ‎10-30-2023

Dear Cisco Community ,

Hope everyone is well. Reaching out to ask your expertise with regards to this scenario.

Two sites: Main branch and Remote branch. Two firewall in the environment, FW01 serving as default route for all LAN traffic (VPN tunnel cloud DC, application access, and internet access). FW02 serves in publishing websites in DMZ Network to external client with corresponding public IP address range assigned to the organization.

There is a server in remote branch that requires to be publish for specific external client. How to route Server0 in remote branch to use FW02 as its route to reach internet. ?

Appreciate your inputs and assistance.

Best regards,

Ramprasath Sadasivam · ‎10-30-2023

Hi,

You can use Policy based routing (PBR) on Core SW at Main Site, where you can match the source (server0) and destination(any or 0.0.0.0/0) and route the traffic to FW02.

Joseph W. Doherty · ‎10-30-2023

Ditto.

M02@rt37 · ‎10-30-2023

Hello @bbb bbb,

To route Server0 in the remote branch through FW02 for internet access while maintaining its access to the internal network, you can set up PBR on the router that connects the remote branch to the main branch.

--This configuration will direct traffic from Server0 matching an ACL to use FW02 as its route to reach the internet while allowing it to continue communicating with the internal network.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Joseph W. Doherty · ‎10-30-2023

BTW, from the posted information, PBR should only be, and is, needed on core L3 switch.

bbb bbb · ‎10-30-2023

Dear @Joseph W. Doherty ,

on this scenario, multilayer switch 0 is a L3 switch and also as Core switch

Joseph W. Doherty · ‎10-30-2023

"on this scenario, multilayer switch 0 is a L3 switch and also as Core switch"

Correct, and?

bbb bbb · ‎10-30-2023

Dear @Joseph W. Doherty

..and where the default static route is configured pointing to FW01.

Joseph W. Doherty · ‎10-31-2023

Which PBR will (selectively) override.

bbb bbb · ‎10-30-2023

Dear M02@rt37,

Default route is configured in Multilayer switch. and I will try to put PBR on egress interface of router1. Thank you for your suggestion.

Regards

Torbjørn · ‎10-30-2023

For PBR to work you need to configure it on the ingress interface of the device that should perform the routing. In this case Switch0.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

M02@rt37 · ‎10-30-2023

You're welcome @bbb bbb

Apply the route map to the interface through which traffic from Server0 exits the remote branch network.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Joseph W. Doherty · ‎10-30-2023

"Default route is configured in Multilayer switch. and I will try to put PBR on egress interface of router1. Thank you for your suggestion."

You can do that, but it won't help because your core switch is shown as next hop.

Torbjørn · ‎10-30-2023

You will need to solve this by implementing policy routing on Switch 0.

Policy routing works by matching incoming traffic with a route-map and setting outbound interface/next-hop for the traffic. Hence you can route traffic based on source IP like you are attempting to do here. It is however not very efficient. You can achieve what you want here with something like this:

access-list 101 permit ip host {server 0 ip} any 
! 
route-map to-fw2 permit 10 match ip address 101 set ip next-hop {fw2 address} 
!
interface {ingress interface}
 ip policy route-map to-fw2

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

bbb bbb · ‎10-30-2023

Dear @Torbjørn ,

Will try your suggestion to apply route-map on the interface on Multilayer switch 0 connecting to Router1.

Regards,

internet access a single host on a remote branch using different FW