cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
641
Views
0
Helpful
3
Replies

How best to steer particular subnet traffic out new firewall

tmikelson
Level 1
Level 1

Question: How best to steer particular 192.168.X.0 /24 subnet traffic out through the new firewall to the Internet?

Internal network uses OSPF to include inside interface of ASA 5585X firewall.
The ASA has a static route 0.0.0.0 /0 pointing to the edge router which is also redistributed into OSPF.
The edge router has a static route 192.168.0.0 /22 pointing to the ASA.
A new firewall has been installed in the network with it's inside interface participating in OSPF.

On the edge router a more specific route, 192.168.X.0 /24, can be added that points to the new firewall.
On the new firewall a static route 0.0.0.0 /0 can be added that points to the edge router and NOT redistributed into OSPF.

3 Replies 3

Mark Malone
VIP Alumni
VIP Alumni

Hey Just a thought maybe pbr will work here as you can match against an acl for that subnet and then set the next hop ip as the new firewall ip so it gets redirected out through that device

http://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/47121-pbr-cmds-ce.html

yes PBR!

Please remember to rate useful posts, by clicking on the stars below.

Hello,

You can also create a VRF on your switch and put interface 192.168.x.0/24 and internal interface of your new firewall in that VRF. Then you just need to configure a default route in that  VRF toward new firewall internal interface. In this way, you can isolate network traffic of 192.168.X.0/24 on your switch.

Masoud

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: