cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
348
Views
0
Helpful
3
Replies
tmikelson
Beginner

How best to steer particular subnet traffic out new firewall

Question: How best to steer particular 192.168.X.0 /24 subnet traffic out through the new firewall to the Internet?

Internal network uses OSPF to include inside interface of ASA 5585X firewall.
The ASA has a static route 0.0.0.0 /0 pointing to the edge router which is also redistributed into OSPF.
The edge router has a static route 192.168.0.0 /22 pointing to the ASA.
A new firewall has been installed in the network with it's inside interface participating in OSPF.

On the edge router a more specific route, 192.168.X.0 /24, can be added that points to the new firewall.
On the new firewall a static route 0.0.0.0 /0 can be added that points to the edge router and NOT redistributed into OSPF.

3 REPLIES 3
Mark Malone
VIP Mentor

Hey Just a thought maybe pbr will work here as you can match against an acl for that subnet and then set the next hop ip as the new firewall ip so it gets redirected out through that device

http://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/47121-pbr-cmds-ce.html

yes PBR!

Please remember to rate useful posts, by clicking on the stars below.

Hello,

You can also create a VRF on your switch and put interface 192.168.x.0/24 and internal interface of your new firewall in that VRF. Then you just need to configure a default route in that  VRF toward new firewall internal interface. In this way, you can isolate network traffic of 192.168.X.0/24 on your switch.

Masoud