02-16-2016 08:29 AM - edited 03-08-2019 04:36 AM
Question: How best to steer particular 192.168.X.0 /24 subnet traffic out through the new firewall to the Internet?
Internal network uses OSPF to include inside interface of ASA 5585X firewall.
The ASA has a static route 0.0.0.0 /0 pointing to the edge router which is also redistributed into OSPF.
The edge router has a static route 192.168.0.0 /22 pointing to the ASA.
A new firewall has been installed in the network with it's inside interface participating in OSPF.
On the edge router a more specific route, 192.168.X.0 /24, can be added that points to the new firewall.
On the new firewall a static route 0.0.0.0 /0 can be added that points to the edge router and NOT redistributed into OSPF.
02-16-2016 09:14 AM
Hey Just a thought maybe pbr will work here as you can match against an acl for that subnet and then set the next hop ip as the new firewall ip so it gets redirected out through that device
http://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/47121-pbr-cmds-ce.html
02-16-2016 02:00 PM
yes PBR!
02-16-2016 04:26 PM
Hello,
You can also create a VRF on your switch and put interface 192.168.x.0/24 and internal interface of your new firewall in that VRF. Then you just need to configure a default route in that VRF toward new firewall internal interface. In this way, you can isolate network traffic of 192.168.X.0/24 on your switch.
Masoud
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: